iOS native Mail client conficts with MFA through Azure Conditional Access

Lt. Columbo 316 Reputation points
2021-09-01T12:32:44.85+00:00

Hi guys,

I recently deployed DUO MFA through Azure AD conditional access for Azure AD access.
It is aimed to protect access to emails stored in Exchange Online.
It works fine with desktop Outlook and OWA.
However, all iOS native Mail client get the message below and emails syncing stops.

128342-native-ios-mfa.jpg

Excluding affected users gets access to emails on iOS Mail client back to normal.
I've come across the se articles where solution was found by granting tenant permission for iOS app.
https://learn.microsoft.com/en-us/answers/questions/300742/native-ios-mail-app-not-working-with-mfa.html
https://learn.microsoft.com/en-us/answers/questions/93588/ios-14-mailcalendar-multi-factor-authentication-fa.html
Just a bit unclear how to grant that permission and what are potential implications.

Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,181 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 35,806 Reputation points Microsoft Employee
    2021-09-13T23:47:12.813+00:00

    The Exchange Active Sync client does not support MFA. If you make sure “Exchange ActiveSync clients” is unchecked in the conditional access policy, native iOS mail clients should be able to have access.

    Intune might suit your scenario better. https://learn.microsoft.com/en-us/mem/intune/protect/exchange-connector-install

    0 comments No comments