question

Freppys-6680 avatar image
0 Votes"
Freppys-6680 asked MichaelEmerson-7779 commented

Native iOS Mail app not working with MFA

Hi,

I am receiving this in the mail app after configuring mail app after enabling MFA via Conditional Access on my iPhone native mail app.
Tried removing and adding, without success..

Outlook iOS app works. But I prefer using native mail app.

Any ideas?

See settings of the policy.

74738-image.png


74729-image.png


azure-ad-multi-factor-authenticationazure-ad-privileged-identity-management
image.png (174.3 KiB)
image.png (48.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaD-7009 avatar image
0 Votes"
PaD-7009 answered

You are saying whether or not you have CA policy, you are not able to access email on iOS native app right?

This makes me think this restriction is coming from Exchange admin side. Check you Exchange admin center or your exchange admin

Exchange admin center > mobile

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Freppys-6680 avatar image
0 Votes"
Freppys-6680 answered Freppys-6680 commented

Hi @PaD-7009
Thanks for you comment.
Sorry if I wasn't clear.

The native iOS mail app is working without MFA enabled. But when I enabled MFA via conditional access it doesn't work.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you on Exchange Onprem or Online?

0 Votes 0 ·

Exchange Online.

0 Votes 0 ·
SingKitCheng-6453 avatar image
0 Votes"
SingKitCheng-6453 answered Freppys-6680 commented

iOS native mail app doesn't support MFA.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
I have solved this.

It actually does now. However, you need to grant permission as admin to the tenant for the iOS App in Azure > Apps to get it to work.
I am running iOS Mail native app with MFA enabled.

0 Votes 0 ·
SingKitCheng-6453 avatar image
0 Votes"
SingKitCheng-6453 answered Freppys-6680 commented

Hi Freppys,

It's a sneaky deal. See we use Azure Sentinel to alert us with risky business. Just yesterday, we have a user who did the same thing, setup iOS native mail for work email. I received an alert today about this. The alert title is: "Suspicious application consent for offline access." The description of the alert is: "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth. Offline access will provide the Azure App with access to the listed resources without requiring two-factor authentication. Consent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities."
So, it looks like what's happening is you grant permission to iOS native mail to download emails for offline access so MFA is actually bypassed. My opinion is that MFA is a very strong protection so we shouldn't bypass it. I just told my user to switch to use the Outlook app for security reason. Just my opinion though.

Thanks
Kit

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yeah it's a bit tricky.
It is really how strong MFA should be on a scale.
I run Outlook only as you do, for a few of my clients, and all third party apps disabled. However, some clients wants to use iOS and this is the way in my opinion to do it "as secure as possible" for their needs. Of course all options explained before enabling it :)

Cheers

0 Votes 0 ·
Lt-Columbo avatar image
0 Votes"
Lt-Columbo answered Freppys-6680 edited

Hi @Freppys-6680,

Could you please explain in more detail how to grant tenant permission for iOS app in Azure AD.
Were there any issues afterwards?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
First of all, there are 2 different error messages with iOS mail app, if you have enabled MFA.
One of them which is in this thread you will probably have to just delete it from iPhone and add it again.
Still not working? There might be a settings enabled which restricts 365 access to third party apps like iOS/Apple.

To consent for everyone to run iOS apps you will have to go to Azure portal > Applications > iOS or Apple Internet Accounts > Constent and enable it for everyone to run iOS app as global admin by pressing the blue button.
They will still have to enter MFA info first time they set it up in the mail settings.

Haven't had any issues at all. Enabled it for multiple tenants.

THis is the setup I run which disables third party apps, unless you consent to it as admin for the users., as you might want for iOS and Samsung mail apps. And MFA enabled via conditional access.

128597-image.png

128429-2021-09-02-09-38-20-azure-ad-sakra-uppdocx-word.png


0 Votes 0 ·
MichaelEmerson-7779 avatar image
0 Votes"
MichaelEmerson-7779 answered MichaelEmerson-7779 commented

Our users simply removed the existing Exchange account under the iPhone Settings and re-added it. MFA kicked in and things are working fine.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, veryyy simple solution. Multiply this with how many workers does a company have and you get what exactly? Nothing, how are we supposed to do this for 500 workers?

0 Votes 0 ·

Granted, we are a small company and only a handful have iPhones. However, this is not a complicated fix, and could easily be handled in an Email to affected users for them to do it themselves.

Per a quick search, iPhone accounts for 53% of the market share (so, cut your 500 roughly in half). This is a fairly straightforward fix, so 90% of users could handle it themselves with only the Emailed instructions for iPhone (basing this off of a roughly 90% success rate with the desktop/laptop instructions that we sent). Your number is now down to 25, which is certainly very reasonable.

Just my opinion, YMMV.

0 Votes 0 ·