iOS 14 + Mail/Calendar + Multi Factor Authentication fails

Alexander Henket 16

As of iOS 14 I am unable to use Mail/Calendar for our Office365 business account because iOS Settings fails for Multi Factor Authentication (MFA).

All Microsoft apps work fine on MFA, so I temporarily fell back to Microsoft Outlook.app on iOS. Also using mobile Safari I can go to outlook.com no problem.

When I use iOS Settings > Mail > Accounts however the procedure takes me to microsoftonline.com which redirects into the regular company site, which redirects into microsoftonline.com to show me the attached screen. [would love to upload picture but upload feature is broken here] -- The 'error' says "Administrator approval required for Apple Internet Accounts"

I noticed that iOS beta 6 fixed something in OAuth/Exchange, but for me that did not solve the issue. Anyone else experiencing this?

Removal and recreation of account in Microsoft Authenticator did not help. My sysops initially told me that the problem is in an incompatibility between Apple Internet Accounts OAuth behavior under iOS 14 and Microsoft Intune. With the final release of iOS 14 around the corner it sounds important to have that fixed at either end.

Mattynat 11 Reputation points

2020-09-17T15:47:11.827+00:00

Seems like a wide spread issue as I am seeing it at my company as well. We actually opened up a case with Apple instead of Microsoft but I am sure we will loop in MS at some point. Seems like some users are able to turn off Cross track and the other security settings in Settings > Safari and then sign in again. While others are reporting they needed to delete their account and try to add it back in multiple times in order for it to work. Someone at Apple said: One thing to be on the lookout for: iOS and iPadOS use randomized MAC addresses for privacy now. Can disable manually in Settings on a per network basis or via MDM. So if your network expects certain MAC addresses you may have trouble.

Just thought I’d share. Good luck!
Anonymous

2020-09-18T23:48:04.13+00:00

If I saw this earlier I would not of upgraded. Public release and now no access to Corp email
Sabo, Eric 1 Reputation point

2020-10-08T09:56:38.323+00:00

What was the fix for this ? I have an end user with IOS 14.1
Nicolas Averseng 6 Reputation points

2020-10-08T11:27:11.82+00:00

Managed to fix it by adding the admin consent in AAD (https://learn.microsoft.com/answers/answers/104889/view.html gave the hint)

The name somehow changed from 'iOS Accounts' to 'Apple Internet Accounts' afterwards and users on iOS 14 are now able to connect.
Rui Cardoso 1 Reputation point

2020-10-21T10:43:51.38+00:00

In my tenant, I can see "iOS Accounts" but not "Apple Internet Accounts". Guess why? Admin consent to "iOS Accounts" is not enabling users to configure iOS apps like mail and calendar. They are getting the message "Unable to verify account information".
Even generating app passwords, they still get the same message.
SomePerson 1 Reputation point

2020-12-23T03:09:50.987+00:00
I'm not sure which step (or both) made it work but here is what I did and now iPad is able to add an account and receive email when it previously didn't. iPad is iOS 14.2.

First step:

Sign into Azure AD as an admin, navigate to Enterprise Applications and click on iOS Accounts.

In iOS Accounts Overview, click Permissions (in the Security section).

Click "Grant admin consent for <company name>".

Second step:

On iPad, install either Chrome or Edge.

Make Chrome/Edge the default browser.
A. Open Settings on your iPad
B. Swipe down to find the third-party browser you’d like to set as the default.
C. Choose Default Browser App.
D. Tap either Chrome/Edge.
E. Do not restart device.

Go to iPad Mail app and add account. This time the Auth request will open Chrome/Edge where the authentication is allowed to complete.

Change default browser back to desired default.
tech 1 Reputation point

2020-12-23T20:59:58.443+00:00

THANK YOU!! This worked for me as well.

15 answers

Brian Davis 6 Reputation points

2020-09-18T00:04:38.647+00:00

@Alexander Henket @Jason Sandys @Drew Love

I was able to fix this on my phone by changing the default browser to chrome. Found this issue is really due to one of the Safari security updates that comes with iOS 14.

Open Settings on your iPhone or iPad
Swipe down to find the third-party browser you’d like to set as the default
Choose Default Browser App
Tap the third-party app you’d like to use.

Then go back to your mail app and add the Exchange account normally. This time the Auth request will open chrome where the authentication is allowed to complete and not loop like it does in Safari.

Test this and let me know if it works for you too.
Please sign in to rate this answer.

1 person found this answer helpful.
RSchenk 6 Reputation points

2020-09-18T00:38:01.29+00:00

Having the same issue for myself. Just tried this and no go for me... Switched to Chrome, but still in this loop when selecting work account. :(

Bob Donkey 1 Reputation point

2020-10-01T13:43:40.29+00:00

Thanks, this worked for us, we changed default to Edge. When you authenticate, you have to click 'open in edge' first and then it switches browsers, then the auth works.

Alan Reagan 16 Reputation points

2020-10-12T20:10:14.423+00:00

This worked for me as well. We had a lot of user consent for this app, but applied admin consent as well.

Here's another strange thing occurring in our environment. Users who in-place upgrade to iOS 14 with working mail continue to work after upgrading. In our environment, this seems to be limited to a new enrollments on iOS14. I can remove management profile, and log out of Company Portal on working iOS 14 device that has been upgraded. If I try to re-enroll with Safari as default, Mail cannot connect to exchange server. If I try to re-enroll with Chrome as default it works.

P.S. When we are prompted to enter creds for exchange server, we don't actually get a form credential prompt, the device is passing a cert. With either Safari or Chrome this behavior is displayed. Chrome works Safari doesn't. My guess is there's a bigger issue with Safari as a managed Intune browser in iOS 14 due to changes in client cert security.

Shanghvi, Chetan 11 Reputation points

2020-10-12T20:57:34.373+00:00

Same issue for us too with new enrollments on iOS 14.x. Do your organization have a custom Exchange URL like mail.organization.com or outlook.organization.com? If yes, try that instead of outlook.office365.com in the MDM Exchange Email profile and it will work.

Alan Reagan 16 Reputation points

2020-10-12T21:45:09.977+00:00

We have public DNS for on-prem exchange, but no custom public name pointed to exchange online. The public DNS for exchange on-prem used to work and the users would then redirect to exch online, but now iOS 14 only accepts outlook.office365.com as the server.

Shanghvi, Chetan 11 Reputation points

2020-10-12T21:58:23.213+00:00

For us, it's the other way around. iOS 12.x and 13.x used to accept outlook.office365.com but new enrollments on iOS 14 will accept only outlook.organization.com. There are so many issues with Oauth authentication and both Apple and Microsoft are causing problems. They have to work together to sort these things out but I don't see that happening and they rather push us, the admins to face all the heat, very frustrating!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Jason Sandys 31,421 Reputation points Microsoft Employee Moderator

2020-09-13T22:24:18.023+00:00

Zero-day supports for major iOS versions is the goal for Intune and we've met that with each of the three versions (IIRC). Until then though, all bets are off particularly for a product we don't control and is still subject to change and breaking issues. Additionally, none of this is related to Intune as Intune plays absolutely no part in authentication (including MFA) or what the built-in iOS mail app does.

If this is still broken after iOS 14 is released, then please do report this but make sure that you report it to Apple as only they have control over how the mail app works.

Also note that uploading images works just fine:
Please sign in to rate this answer.
Alexander Henket 16 Reputation points

2020-09-14T08:26:11.633+00:00

I have filed this with Apple in the feedback program already.

I’m not asking for support with my exact case. I would just like to make sure Microsoft uses the beta program to iron out glitches that any beta period has. Also I wanted to know if this is due to the beta at all or something that could have happened in any version.

You tell me to wait for the final product, and I’ll do that certainly. My reporting job thus concludes.

Both Safari and Firefox failed to upload the images. The progress bar rests at 0%.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Alexander Henket 16 Reputation points

2020-09-16T05:27:49.47+00:00

This morning iOS 14 final version was released and installed on my iPhone. The problem persists. Is it possible to help out now that iOS is no longer beta?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Jason Sandys 31,421 Reputation points Microsoft Employee Moderator

2020-09-16T17:35:10.29+00:00

As noted, this is not related to Intune in any way as Intune is unrelated to authentication. Also, since nothing has changed with Azure AD authentication, the problem lies with the iOS mail app and thus needs to be pursued with Apple.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Alexander Henket 16 Reputation points

2020-09-16T19:12:54.043+00:00

The mail app nor the calendar app is at play here. This is the iOS Settings for Mail accounts talking to my companies self hosted frontend for Office365 and domain authentication.

I have no idea what software is on their end and frankly I don’t know they do. All I know is they keep checking Intune configuration whenever I call them.

It’s kind of frustrating that nobody seems to able to do anything but point to ‘the other party’. This a common pattern for problems that involve communication between different vendors.
Please sign in to rate this answer.
Drew Love 1 Reputation point

2020-09-17T01:35:36.62+00:00

I just updated and I believe I’m having the same issue.

My Office 365 account says it’s not authenticated and I’m prompted to re-enter my password. I tap re-enter password and instead of being redirected to the MS login box I just get another iOS box telling me I need to go into settings and re-enter my password. It just loops.

And it’s not just one device. The same thing is happening on an iPad I also just upgraded.

The only way I was able to fix this with iOS 13 was to wipe the phone and set it up as a new iPhone. Not cool.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

iOS 14 + Mail/Calendar + Multi Factor Authentication fails

15 answers

Your answer