question

SkipHofmann-5788 avatar image
0 Votes"
SkipHofmann-5788 asked IvanRafaj-8871 answered

Native iOS mail client modern authentication.

Hello

I am trying to understand what version of iOS native mail client support modern auth in Exchange online? From reading the below article it sounds like i have to enable and consent to the enterprise application "Apple Internet Accounts" in Azure, before the device is able to connect using modern authentication Is this correct?

https://office365itpros.com/2021/10/18/old-apple-mail-clients-exchange-online/

This article from apple suggest that modern auth is supported,
https://support.apple.com/en-ie/guide/deployment/dep158966b23/web However i am running an Iphone 13 and i could not get the native mail client to connect. I received the below message. The error message is suggesting that i have to enable and consent to the "Apple Internet Accounts"
171114-concent1.jpg


office-exchange-server-administrationoffice-exchange-online-itprooffice-exchange-server-connectivityoffice-exchange-server-itpro
concent1.jpg (305.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered SkipHofmann-5788 commented

yes, you need your Azure/365 admin to consent this to use this. They may not allow it, so you will have to check with them.
Note this app used to be called "iOS Accounts " in the Azure portal Enterprise Apps

See more:
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/did-i-accidentally-provision-apple-internet-accounts-with-my-own/m-p/1317884

and yes, modern auth is supported. Assuming your org requires and allows it, you may need to create a mail profile.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Andy for the information. Can you explain how the "Apple internet accounts" application facilitates modern auth for the native outlook client? Im trying to understand why this application is required to support modern auth when using the native outlook client on a device that us running iOS 15 ?

Thank you

1 Vote 1 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered SkipHofmann-5788 commented

Hi there, so the app/service principal "Apple Internet Accounts" that has delegated permissions to Exchange workloads in 365. When a user access Exchange Online, the iOS mail app needs these permissions to access the service. A service principal uses Modern Auth.

Here are those perms:
171078-image.png


Once a user is authenticated, they will be added to the "users and Groups" section of that app in Azure.

The second piece is the account itself. When you logon to Azure, the iphone leverages Modern Auth ( tokens/claims versus transmitting the name and password) to Azure.





image.png (22.2 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Perfect explanation. Thank you

0 Votes 0 ·
IvanRafaj-8871 avatar image
0 Votes"
IvanRafaj-8871 answered

Hi all,

How this relates to my set-up.

I have disabled Active Sync in my tenant by de-selecting "Exchange Active Sync (EAS)" in my tenant Settings-Org settings-Modern Authentication.

I do not see any more sign-ins with Client App "Exchange Active Sync".

But still I had a case where user wanted to set up native iOS mail app and this did not work - mails were not synced. When I have enabled ActiveSync on CasMailbox settings, mails were synced, but I still do not see in sign in logs that actually Active Sync basic authentication was used. I have "iOS Accounts" app registered and enabled for users to signin. Still this example user was not prompted to request consent but Active Sync needed to be enabled on user Cas Mailbox settings. I am now really confused with Active Sync and iOS native mail app. Why enabling Active Sync on a user helps if this is disabled on a tenant level and I still do not see in sign in logs that basic auth Active Sync has been used to sign in?

Thanks Community!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.