This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 49%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
I'm not sure if this is the right place to access this type of question. I used to access questions under technet when that was till around. So I apologize if this isn't the correct place.
We are in the process of migrating to M365 from our OnPremise AD. We plan on staying Hybrid for awhile. We currently have our domain Federated for SSO with our ADFS servers. During our testing we discovered that since turning on Federated, Apple iOS Mobile Devices we have in inTune that use the Native Mail App do require a password. Well, that presents an issue in opening up ADFS outside of the 365 cloud because the federated option automatically redirects to our ADFS signon page. I have 3 questions to ask about this.
I'm just trying to figure out the best solution that not only encompasses SSO for our on-premise systems, but also the mobile devices as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 74%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Hello @Jonathan Berg,
Following up to check if you have any further questions or query, please do let us know.
Hello @Jonathan Berg,
To streamline the process of MFA in mobile devices it is advised to use Modern Authentication as it works better with MFA and CA policies. Migrating from ADFS to Entra ID Authentication will also help in utilizing Conditional Access policies natively. It is also recommended to utilize Outlook mobile instead of the native iOS/Android mail app. Outlook supports modern auth and conditional access policies better than native apps this would help avoiding the dual prompts.
For the second part as your domain is federated with ADFS, the authentication is redirected to ADFS by default. Microsoft 365 uses domain federation settings to determine whether to use ADFS or Entra ID. It would not be possible to selectively divert the redirection for mobile phones or some services. It can be considered to move towards Managed environment where the authentication will be handled by Entra ID and removes ADFS dependency.
Seamless SSO only works for domain-joined Windows clients on corporate networks (via Kerberos), so mobile devices won’t benefit from Seamless SSO directly. To achieve slightly better experience on mobile phone you can use Device enrollment and compliance policies in Intune and combine with Conditional access policies. Moving towards modern auth and device policies will help achieve seamless like experience on mobile phones as MFA prompts will be minimum and refresh tokens would be used for future logins.
The seamless like experience on Mobile phones is what I'm looking to accomplish, but it sounds like migrating from from ADFS to Entra Modern Auth sounds like I'd be sacrificing the SSO options for workstations and other cloud services. Am I deducing that correctly? It sounds like that if we are achieve a seamless option for mobile devices that would require modern auth with inTune which also turns off SSO for our user workstations. Is there no way around this? Or any other options?
To achieve seamless Single Sign-On (SSO) for both workstations and mobile devices, you don't need to sacrifice one for the other. While ADFS is typically used for SSO on domain-joined devices, it can be problematic for mobile devices, especially when using the Native Mail app, as it often requires password prompts and exposes ADFS externally.
By migrating to Entra ID Cloud Authentication (Modern Auth) with either Password Hash Sync (PHS) or Pass-through Authentication (PTA), you can still enable seamless SSO for domain-joined workstations. This is possible with the Seamless SSO feature, which works by leveraging Kerberos tickets, ensuring that workstations whether on the corporate network or not can authenticate without needing to re-enter credentials, just like with ADFS.
At the same time, moving to Modern Authentication significantly improves the mobile device experience. By using Intune for mobile device management, you can ensure that mobile apps like Outlook are integrated with Entra ID for direct, smooth authentication. This bypasses the issues with ADFS and the native mail apps, providing better token caching, Conditional Access policies, and seamless sign-ins across devices. With Modern Authentication and conditional access policies, mobile devices can authenticate more securely, and users can be governed by Intune app protection policies, ensuring compliance and security.
Migrating from ADFS to Azure AD Cloud Authentication doesn't require you to abandon SSO for your workstations. In fact, it simplifies the process and provides better support for both workstations and mobile devices. Once you enable Seamless SSO through Azure AD Connect, your domain-joined workstations will continue to experience SSO without needing ADFS, while your mobile devices will benefit from a more streamlined and secure sign-in process. The transition allows you to leverage cloud-based MFA, conditional access, and passwordless authentication options, creating a unified and modern experience for both workstations and mobile devices.
If you require any further details, please do let us know.
That makes sense, but let me ask this in regards to the native mail app vs the outlook app. A couple of the issues with the Outlook App that we've encountered are 1) contacts aren't synced unless you turn on the manual option in the App to do so. 2) Calendars don't show up in the native calendar app. These do pose issues. Primarily the calendar issue as the calendar having integration in with the native iPhone calendar allows the interfacing with other apps. And it's not two locations for the end user to have their work calendar and personal calendar together to see things in one place. The contacts issue is minor as we have to educate people, however, the fact that an option exists that has to be turned on by the end user when this was not an issue with ActiveSync, unless we have a way of configuring that automatically with InTune or some other means would help. It is a simple thing, I get that, but when there are manual things like this that have been automatic for a long time, really just says we are going backwards for the end user.
With that being said, you don't have to have answer to the issue with the app here as I know this is not the forum specific to that area, but from the information I'm getting that the decision higher up may be made that we setup things like it's been with the Native Mail App and ActiveSync to avoid the change and issues that arise. Sure if these issues I mentioned with the app are changed and work like it's been with ActiveSync, it would more likely be accepted, but because it's not we may have to stick with the Native Mail App.
So then my big question is what can we do to make ActiveSync be seamless as well alongside workstations?
Many users rely heavily on the native mail, contacts, and calendar apps on iOS because they integrate seamlessly with the phone’s ecosystem, allowing for unified views and app interoperability. The Outlook mobile app, while better from a security and management standpoint, lacks some of that native integration—like syncing calendar data into the iOS calendar app or requiring users to manually enable contact sync. These seemingly small issues can feel like a step backward for users, especially when ActiveSync has handled them automatically in the past.
If your organization decides to continue using the native Mail app due to these user experience concerns, and your domain remains federated with ADFS, you'll need to expose ADFS externally to support authentication for ActiveSync. This can be done securely using a Web Application Proxy (WAP) or a reverse proxy, along with ADFS claim rules and conditional access strategies to minimize repeated MFA prompts and exempt known devices (like Intune-compliant ones) from MFA. However, this approach keeps your organization tied to ADFS and its complexity.
The more modern, Microsoft-recommended approach involves migrating to a managed authentication model—using Password Hash Sync (PHS) or Pass-Through Authentication (PTA)—which enables full use of Conditional Access and modern authentication without the dependency on ADFS.
For seamless user experience with the native Mail app, especially on Intune-managed devices, you can configure Exchange ActiveSync profiles through Intune so that users don’t have to manually set up their accounts. Document for reference Quickstart-email-profile. This setup, combined with Conditional Access policies that grant access only to compliant devices, ensures that MFA isn’t continually required once the device is trusted. Ultimately, if native apps must be supported, it would be required to securely expose ADFS while maintaining federation or to migrate to a managed domain with modern auth, Intune enrollment, and Conditional Access controlling access to ActiveSync. This allows for both secure access and a smoother, more familiar experience for mobile users.
Following up to check if you have any further questions or query, please do let us know.
Hi Jyotishree,
Thanks for your explanations. I believe moving to the modern auth is ideally where we are going to be heading to... probably with PTA. So, what I'm trying to wrap my head around is when it comes to PTA and Mobile Devices. The documentation on PTA requires an agent of some sorts on-premise installed. How does a Mobile Device utilize this? Inherently, a Mobile Device isn't domain joined or on the Corporate network.
We will be using inTune for our Mobile Devices. For most of our devices, they require the user to sign in either by the InTune Corporate Portal or the ABM sign-in option we have configured for those. Will the user still sign-in with a username/password and does that authentication take place directly onto the cloud by the user's Entra account?
I guess I'm just trying to find out if there is a requirement for communication back to on-prem for the Mobile Devices since the agents live on-prem if that makes sense what i'm trying to ask.
Jonathan