7,925 questions
Yea, I would say its the security Defaults which enforce MFA and block basic authentication.
If a new profile is created on the phone or you use Outlook Mobile, does it work?
Hybrid Migration - Mobile devices quarantine automatically
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 68%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Jason Kowalczyk
11
Reputation points
We are performing a hybrid migration to 365 from Exchange 2013. We are still in testing phases moving test mailboxes. Whenever we move a mailbox that has a mobile device connected that device goes to quarantine. When we allow the mobile device it goes back to quarantine after briefly showing us "access granted - Pending"
In powershell we see, deviceaccessstate: Allowed - Yet in the gui it's quarantined. Currently, for testing, we have no mobile device policies that would be quarantining, i'm just looking for it to work at this point.
I'm guessing this has something to do with the Azure Security default being enabled, but i'm also unwilling to just disable them. Unless it's the only way and i can clearly define why
Currently I have a around 200 users, mostly Business Standard and Business Basic. But... i do have a couple powerusers licensed E5. So I'm not really licensed for conditional access policies, not in any widespread meaningful way.
We have a case open with Microsoft, but it's been radio silence since Friday.. leaving us stalled. If anyone has any ideas. I've attached multiple screenshots below PowerShell and Gui.
Exchange | Exchange Server | Management
Exchange | Hybrid management
2,311 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,207 questions
2 answers
Sort by: Most helpful
-
Andy David - MVP 157.8K Reputation points2021-04-07T20:52:04.28+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 14.000000000000002%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Craig Molnar 1 Reputation point2021-04-07T21:11:14.007+00:00 If a new profile is created on the phone or you use Outlook Mobile, does it work?
Yeah that is the work around right now, delete the account off from the mobile device and then re-add it.
(Jason and I are working together on this one)
-
Andy David - MVP 157.8K Reputation points
2021-04-07T21:15:51.497+00:00 Yep, thats the way to force it to use modern auth. At least you have your solution now! :)
-
Jason Kowalczyk 11 Reputation points
2021-04-07T23:58:25.49+00:00 Thank you for your input.
We are looking for a more scalable solution as another migration we will be doing will be over 3000 users and hybrid migration has always worked before. We had the same issue with the Outlook Client but there is a registry entry to force modern auth for autodiscover.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Lucas Liu-MSFT 6,191 Reputation points2021-04-08T06:34:47.8+00:00 Hi @Jason Kowalczyk ,
Yes, Azure Security default may affect mobile devices. According to similar situations in the past, as Andy said, reconfiguring the account profile is a very effective way.For how to set the login behavior of different versions of Offcie client apps, this official article gives detailed registry keys and their impact. Please refer to: How modern authentication works for Office 2013, Office 2016, and Office 2019 client apps
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.-
Craig Molnar 1 Reputation point
2021-04-08T12:19:44.277+00:00 Yes, Azure Security default may affect mobile devices. According to similar situations in the past, as Andy said, reconfiguring the account profile is a very effective way
Thanks for the reply, it's very much appreciated.
There really is no way to have mobile devices automatically connect to the migrated mailbox? Each user will be required to remove the account from mobile, then re-add it as we migrate them?
I'm guessing if the mobile devices where using the Oultook app this would be non-issue. It's the native active-sync applications that are effected by this?
If we where to setup Modern Auth on the on Premise sever would that allow the mobile devices, using native active sync applications, to seamlessly transition to the cloud mailbox when migrated?
I'm really trying to avoid having each user re-connect their mobile devices. The environment doesn't include MDM (yet)
-
Andy David - MVP 157.8K Reputation points
2021-04-08T13:09:23.853+00:00 Even with a MDM solution, I don't think its going to be seamless. Mobile Devices just dont have that flexibility. I think you'll have to recreate those profiles.
Outlook Mobile wouldnt have this issue since you would most likely be using Modern Auth already with them. ( even though its supported, the feature set is pretty bad with basic auth) -
Craig Molnar 1 Reputation point
2021-04-08T13:35:34.907+00:00 Ok, it's just, "it is what it is"
Thanks again!
-
Andy David - MVP 157.8K Reputation points
2021-04-08T14:10:44.25+00:00 haha. One of those "Its a feature" things :)
-
Lucas Liu-MSFT 6,191 Reputation points
2021-04-19T23:27:31.957+00:00 Hi @Craig Molnar ,
Yes, according to my test in my lab environment. Sometimes I migrate mailbox from on-premises Exchange to Exchange online, the mailbox in mobile device will not be update until I reconfigure the account or profile.This is one of the situations caused by migration. In short, it can't guarantee "perfect seamless connection"----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Sign in to comment -