question

AlexanderHenket-6641 avatar image
3 Votes"
AlexanderHenket-6641 asked tech-0880 published

iOS 14 + Mail/Calendar + Multi Factor Authentication fails

As of iOS 14 I am unable to use Mail/Calendar for our Office365 business account because iOS Settings fails for Multi Factor Authentication (MFA).

All Microsoft apps work fine on MFA, so I temporarily fell back to Microsoft Outlook.app on iOS. Also using mobile Safari I can go to outlook.com no problem.

When I use iOS Settings > Mail > Accounts however the procedure takes me to microsoftonline.com which redirects into the regular company site, which redirects into microsoftonline.com to show me the attached screen. [would love to upload picture but upload feature is broken here] -- The 'error' says "Administrator approval required for Apple Internet Accounts"

I noticed that iOS beta 6 fixed something in OAuth/Exchange, but for me that did not solve the issue. Anyone else experiencing this?

Removal and recreation of account in Microsoft Authenticator did not help. My sysops initially told me that the problem is in an incompatibility between Apple Internet Accounts OAuth behavior under iOS 14 and Microsoft Intune. With the final release of iOS 14 around the corner it sounds important to have that fixed at either end.

mem-intune-enrollment
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Seems like a wide spread issue as I am seeing it at my company as well. We actually opened up a case with Apple instead of Microsoft but I am sure we will loop in MS at some point. Seems like some users are able to turn off Cross track and the other security settings in Settings > Safari and then sign in again. While others are reporting they needed to delete their account and try to add it back in multiple times in order for it to work. Someone at Apple said: One thing to be on the lookout for: iOS and iPadOS use randomized MAC addresses for privacy now. Can disable manually in Settings on a per network basis or via MDM. So if your network expects certain MAC addresses you may have trouble.

Just thought I’d share. Good luck!

2 Votes 2 ·

If I saw this earlier I would not of upgraded. Public release and now no access to Corp email

1 Vote 1 ·

What was the fix for this ? I have an end user with IOS 14.1

0 Votes 0 ·

Managed to fix it by adding the admin consent in AAD (https://docs.microsoft.com/answers/answers/104889/view.html gave the hint)

The name somehow changed from 'iOS Accounts' to 'Apple Internet Accounts' afterwards and users on iOS 14 are now able to connect.

0 Votes 0 ·

In my tenant, I can see "iOS Accounts" but not "Apple Internet Accounts". Guess why? Admin consent to "iOS Accounts" is not enabling users to configure iOS apps like mail and calendar. They are getting the message "Unable to verify account information".
Even generating app passwords, they still get the same message.

0 Votes 0 ·
tech-0880 avatar image tech-0880 NicolasAverseng-3589 ·

THANK YOU!! This worked for me as well.

0 Votes 0 ·

I'm not sure which step (or both) made it work but here is what I did and now iPad is able to add an account and receive email when it previously didn't. iPad is iOS 14.2.

First step:
1. Sign into Azure AD as an admin, navigate to Enterprise Applications and click on iOS Accounts.
2. In iOS Accounts Overview, click Permissions (in the Security section).
3. Click "Grant admin consent for <company name>".

Second step:
1. On iPad, install either Chrome or Edge.
2. Make Chrome/Edge the default browser.
A. Open Settings on your iPad
B. Swipe down to find the third-party browser you’d like to set as the default.
C. Choose Default Browser App.
D. Tap either Chrome/Edge.
E. Do not restart device.
3. Go to iPad Mail app and add account. This time the Auth request will open Chrome/Edge where the authentication is allowed to complete.
4. Change default browser back to desired default.




0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered AlexanderHenket-6641 commented

Zero-day supports for major iOS versions is the goal for Intune and we've met that with each of the three versions (IIRC). Until then though, all bets are off particularly for a product we don't control and is still subject to change and breaking issues. Additionally, none of this is related to Intune as Intune plays absolutely no part in authentication (including MFA) or what the built-in iOS mail app does.

If this is still broken after iOS 14 is released, then please do report this but make sure that you report it to Apple as only they have control over how the mail app works.

Also note that uploading images works just fine:

24305-new-microsoft-logo-em-168x167.jpg



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have filed this with Apple in the feedback program already.

I’m not asking for support with my exact case. I would just like to make sure Microsoft uses the beta program to iron out glitches that any beta period has. Also I wanted to know if this is due to the beta at all or something that could have happened in any version.

You tell me to wait for the final product, and I’ll do that certainly. My reporting job thus concludes.

Both Safari and Firefox failed to upload the images. The progress bar rests at 0%.

0 Votes 0 ·
AlexanderHenket-6641 avatar image
0 Votes"
AlexanderHenket-6641 answered

This morning iOS 14 final version was released and installed on my iPhone. The problem persists. Is it possible to help out now that iOS is no longer beta?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

As noted, this is not related to Intune in any way as Intune is unrelated to authentication. Also, since nothing has changed with Azure AD authentication, the problem lies with the iOS mail app and thus needs to be pursued with Apple.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexanderHenket-6641 avatar image
0 Votes"
AlexanderHenket-6641 answered DrewLove-9013 edited

The mail app nor the calendar app is at play here. This is the iOS Settings for Mail accounts talking to my companies self hosted frontend for Office365 and domain authentication.

I have no idea what software is on their end and frankly I don’t know they do. All I know is they keep checking Intune configuration whenever I call them.

It’s kind of frustrating that nobody seems to able to do anything but point to ‘the other party’. This a common pattern for problems that involve communication between different vendors.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I just updated and I believe I’m having the same issue.

My Office 365 account says it’s not authenticated and I’m prompted to re-enter my password. I tap re-enter password and instead of being redirected to the MS login box I just get another iOS box telling me I need to go into settings and re-enter my password. It just loops.

And it’s not just one device. The same thing is happening on an iPad I also just upgraded.

The only way I was able to fix this with iOS 13 was to wipe the phone and set it up as a new iPhone. Not cool.

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

It's time for you to open a support case as there's no way to troubleshoot an issue like this in a forum.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexanderHenket-6641 avatar image
0 Votes"
AlexanderHenket-6641 answered AlexanderHenket-6641 edited

My sysops tell me today they are now flooded with users experiencing the same issue. They are investigating why the sts site they run has this issue. I leave the issue with them. They have all the info I don’t have

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrianDavis-2755 avatar image
1 Vote"
BrianDavis-2755 answered ShanghviChetan-1917 commented

@AlexanderHenket-6641 @Jason-MSFT @DrewLove-9013

I was able to fix this on my phone by changing the default browser to chrome. Found this issue is really due to one of the Safari security updates that comes with iOS 14.

Open Settings on your iPhone or iPad
Swipe down to find the third-party browser you’d like to set as the default
Choose Default Browser App
Tap the third-party app you’d like to use.

Then go back to your mail app and add the Exchange account normally. This time the Auth request will open chrome where the authentication is allowed to complete and not loop like it does in Safari.

Test this and let me know if it works for you too.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Having the same issue for myself. Just tried this and no go for me... Switched to Chrome, but still in this loop when selecting work account. :(

1 Vote 1 ·

This worked for me as well. We had a lot of user consent for this app, but applied admin consent as well.

Here's another strange thing occurring in our environment. Users who in-place upgrade to iOS 14 with working mail continue to work after upgrading. In our environment, this seems to be limited to a new enrollments on iOS14. I can remove management profile, and log out of Company Portal on working iOS 14 device that has been upgraded. If I try to re-enroll with Safari as default, Mail cannot connect to exchange server. If I try to re-enroll with Chrome as default it works.

P.S. When we are prompted to enter creds for exchange server, we don't actually get a form credential prompt, the device is passing a cert. With either Safari or Chrome this behavior is displayed. Chrome works Safari doesn't. My guess is there's a bigger issue with Safari as a managed Intune browser in iOS 14 due to changes in client cert security.

1 Vote 1 ·

Same issue for us too with new enrollments on iOS 14.x. Do your organization have a custom Exchange URL like mail.organization.com or outlook.organization.com? If yes, try that instead of outlook.office365.com in the MDM Exchange Email profile and it will work.

1 Vote 1 ·

We have public DNS for on-prem exchange, but no custom public name pointed to exchange online. The public DNS for exchange on-prem used to work and the users would then redirect to exch online, but now iOS 14 only accepts outlook.office365.com as the server.

0 Votes 0 ·
Show more comments

Thanks, this worked for us, we changed default to Edge. When you authenticate, you have to click 'open in edge' first and then it switches browsers, then the auth works.

0 Votes 0 ·
AlexanderHenket-6641 avatar image
0 Votes"
AlexanderHenket-6641 answered DrewLove-9013 commented

Good news: my sysops have succeeded in adding the right authorizations in Azure. The problem turned out to be tenant specific. Their own tenant did not have my problem so originally they were unable to reproduce.

They added that the solution had been something they also had to do for iOS 13.0 but not for 13.1. This leads me to believe that is a returning issue for major versions of iOS. In any case: my issue is solved.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Could you share the resolution with us ?

1 Vote 1 ·

What was the resolution, please? I ended up wiping my phone and tablet and setting up both from scratch which took the better part of a day. Had to do the same thing with iOS 13.

0 Votes 0 ·
MitchGatewood-2516 avatar image
0 Votes"
MitchGatewood-2516 answered MitchGatewood-2516 published

Do you know what Azure authentication?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShanghviChetan-1917 avatar image
0 Votes"
ShanghviChetan-1917 answered NormundsKarklins commented

I believe there is an issue with Oauth enabled Exchange payload that's pushed through the MDM profile in iOS 14 as we tested this with two MDM providers and it failed with both. Apple should be notified about this. Adding Exchange account directly without MDM payload is working.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We ended up having a call with Microsoft support. In our case, we are using Oauth (Modern Authentication) and that caused the issue.

Had to change to Basic Auth temporarily, fix the account (asked for some permissions) and then it worked after that. Back to Oauth.

Likely this will be an Apple IOS 14.x bug fix....

0 Votes 0 ·

By temporarily, do you mean that you changed it to Basic Authentication until you fixed the account then you went by to Oauth, or do you mean you are keeping it at basic until there is a fix from Apple?

0 Votes 0 ·
rschenk avatar image rschenk MitchGatewood-2516 ·

We just did a quick experiment to see if it would work for the user in question. We excluded them from the policy and retried with Basic Auth. We were then able to authenticate from the phone. Don't suggest making global change to Basic if you have multiple users affected. I'd wait for Apple to fix it.

These are Intune managed devices.

0 Votes 0 ·
Show more comments