question

JasonKowalczyk-7977 avatar image
1 Vote"
JasonKowalczyk-7977 asked CraigMolnar-6457 commented

Hybrid Migration - Mobile devices quarantine automatically

We are performing a hybrid migration to 365 from Exchange 2013. We are still in testing phases moving test mailboxes. Whenever we move a mailbox that has a mobile device connected that device goes to quarantine. When we allow the mobile device it goes back to quarantine after briefly showing us "access granted - Pending"

In powershell we see, deviceaccessstate: Allowed - Yet in the gui it's quarantined. Currently, for testing, we have no mobile device policies that would be quarantining, i'm just looking for it to work at this point.

I'm guessing this has something to do with the Azure Security default being enabled, but i'm also unwilling to just disable them. Unless it's the only way and i can clearly define why

Currently I have a around 200 users, mostly Business Standard and Business Basic. But... i do have a couple powerusers licensed E5. So I'm not really licensed for conditional access policies, not in any widespread meaningful way.

We have a case open with Microsoft, but it's been radio silence since Friday.. leaving us stalled. If anyone has any ideas. I've attached multiple screenshots below PowerShell and Gui.

85390-ps1.png


azure-active-directoryoffice-exchange-server-connectivityoffice-exchange-hybrid-itpro
ps1.png (49.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered CraigMolnar-6457 commented

Yea, I would say its the security Defaults which enforce MFA and block basic authentication.

If a new profile is created on the phone or you use Outlook Mobile, does it work?


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If a new profile is created on the phone or you use Outlook Mobile, does it work?


Yeah that is the work around right now, delete the account off from the mobile device and then re-add it.

(Jason and I are working together on this one)







0 Votes 0 ·

Yep, thats the way to force it to use modern auth. At least you have your solution now! :)

1 Vote 1 ·

Thank you for your input.

We are looking for a more scalable solution as another migration we will be doing will be over 3000 users and hybrid migration has always worked before. We had the same issue with the Outlook Client but there is a registry entry to force modern auth for autodiscover.

Reference: https://social.technet.microsoft.com/wiki/contents/articles/37418.office-365-credential-prompts-after-migration.aspx

0 Votes 0 ·
LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered CraigMolnar-6457 commented

Hi @JasonKowalczyk-7977 ,
Yes, Azure Security default may affect mobile devices. According to similar situations in the past, as Andy said, reconfiguring the account profile is a very effective way.

For how to set the login behavior of different versions of Offcie client apps, this official article gives detailed registry keys and their impact. Please refer to: How modern authentication works for Office 2013, Office 2016, and Office 2019 client apps



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, Azure Security default may affect mobile devices. According to similar situations in the past, as Andy said, reconfiguring the account profile is a very effective way

Thanks for the reply, it's very much appreciated.

There really is no way to have mobile devices automatically connect to the migrated mailbox? Each user will be required to remove the account from mobile, then re-add it as we migrate them?

I'm guessing if the mobile devices where using the Oultook app this would be non-issue. It's the native active-sync applications that are effected by this?


If we where to setup Modern Auth on the on Premise sever would that allow the mobile devices, using native active sync applications, to seamlessly transition to the cloud mailbox when migrated?

I'm really trying to avoid having each user re-connect their mobile devices. The environment doesn't include MDM (yet)

configure-exchange-server-for-hybrid-modern-authentication

hybrid-modern-auth-overview


0 Votes 0 ·

Even with a MDM solution, I don't think its going to be seamless. Mobile Devices just dont have that flexibility. I think you'll have to recreate those profiles.
Outlook Mobile wouldnt have this issue since you would most likely be using Modern Auth already with them. ( even though its supported, the feature set is pretty bad with basic auth)

1 Vote 1 ·

Ok, it's just, "it is what it is"

Thanks again!

0 Votes 0 ·
Show more comments

Hi @CraigMolnar-6457 ,
Yes, according to my test in my lab environment. Sometimes I migrate mailbox from on-premises Exchange to Exchange online, the mailbox in mobile device will not be update until I reconfigure the account or profile.This is one of the situations caused by migration. In short, it can't guarantee "perfect seamless connection"



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·