Native iOS Mail app not working with MFA

Freppys 96 Reputation points
2021-03-05T10:26:49.827+00:00

Hi,

I am receiving this in the mail app after configuring mail app after enabling MFA via Conditional Access on my iPhone native mail app.
Tried removing and adding, without success..

Outlook iOS app works. But I prefer using native mail app.

Any ideas?

See settings of the policy.

74738-image.png

74729-image.png

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,521 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Pa_D 1,071 Reputation points
    2021-03-05T20:37:49.647+00:00

    You are saying whether or not you have CA policy, you are not able to access email on iOS native app right?

    This makes me think this restriction is coming from Exchange admin side. Check you Exchange admin center or your exchange admin

    Exchange admin center > mobile

    0 comments No comments

  2. Freppys 96 Reputation points
    2021-03-08T08:43:43.913+00:00

    Hi @Pa_D
    Thanks for you comment.
    Sorry if I wasn't clear.

    The native iOS mail app is working without MFA enabled. But when I enabled MFA via conditional access it doesn't work.


  3. Sing Kit Cheng 46 Reputation points
    2021-05-26T13:48:04.697+00:00

    iOS native mail app doesn't support MFA.


  4. Sing Kit Cheng 46 Reputation points
    2021-05-26T14:04:15.8+00:00

    Hi Freppys,

    It's a sneaky deal. See we use Azure Sentinel to alert us with risky business. Just yesterday, we have a user who did the same thing, setup iOS native mail for work email. I received an alert today about this. The alert title is: "Suspicious application consent for offline access." The description of the alert is: "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth. Offline access will provide the Azure App with access to the listed resources without requiring two-factor authentication. Consent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome! For further information on AuditLogs please see https://learn.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities."
    So, it looks like what's happening is you grant permission to iOS native mail to download emails for offline access so MFA is actually bypassed. My opinion is that MFA is a very strong protection so we shouldn't bypass it. I just told my user to switch to use the Outlook app for security reason. Just my opinion though.

    Thanks
    Kit


  5. Lt. Columbo 316 Reputation points
    2021-09-01T21:25:21.037+00:00

    Hi @Freppys ,

    Could you please explain in more detail how to grant tenant permission for iOS app in Azure AD.
    Were there any issues afterwards?