Outlook for iOS and Android

  • Article

Outlook for iOS and Android supports two authentication types in Exchange on-premises environments: Basic authentication and hybrid Modern Authentication.

Outlook for iOS and Android uses Basic authentication with Exchange ActiveSync in the following environments:

  • In Exchange Server 2010 environments

  • When a hybrid relationship with Microsoft 365 or Office 365 hasn't been configured

  • When hybrid Modern Authentication hasn't been enabled

For more information, see Using Basic authentication with Outlook for iOS and Android.

For customers running Exchange Server 2013, Exchange Server 2016, or Exchange Server 2019 in a hybrid relationship with Microsoft 365 or Office 365, Outlook for iOS and Android can be configured to use hybrid Modern Authentication. For more information, see Using hybrid Modern Authentication with Outlook for iOS and Android.

Note

The Outlook for iOS and Android Help Center is available for users, including help for using the app on specific devices and troubleshooting information.

Differences when managing devices on "Hybrid Modern Auth (HMA)" enabled on-premises Exchange servers

Historically for other EAS implementations, a unique device ID is provisioned for each smartphone trying to connect to the same OnPrem mailbox and ABQ (Allow, Block, Quarantine) or any MDM can manage these device IDs like for native EAS applications.

However, when connecting to HMA enabled on-premises tenant using Outlook Mobile there are some differences in design as the user's data is stored in a central cache inside of Exchange Online tenant. To understand the design philosophy and its benefits see section Using hybrid Modern Authentication with Outlook for iOS and Android. This capability also allows tenant admins to safely issue remote wipe of data for scenarios where a user leaves the company, or a device is compromised. Some of the differences are described below.

  • Users connect to a cache created inside the Exchange Online tenant: When a user connects to a Hybrid Modern Authentication enabled On Premise tenant using Outlook Mobile application, on the backend Exchange creates a synchronized cache of users 4 weeks of data in a user-protected mailbox. What this means is if multiple devices connect, they'll be accessing a single endpoint inside Exchange. And a unique device ID is seen On Premise side. The synchronized cache is also called a Cloud Cache account.

  • Cloud Cache might generate multiple devices: The on-premises admin might see multiple devices because of how the Cloud Cache is bootstrapped and because expired devices may not be expired. When Exchange first validates the Cloud Cache account, it will use a generic device ID. Once the account has been verified, a new personalized device ID called the subscription is used.

  • Blocking or issuing remote wipe: If the on-premises admin wants to remove access to content, they should run a remote wipe on-premises. The Cloud Cache will proxy the remote wipe to all connected devices. If the on-premises admin wants to block access to content, they should do it through on-premises. Then Cloud Cache will be unable to sync any new content. To get more detail about remote wipe, see section Perform a remote wipe on a mobile phone

Best practice with MDM

  • We recommend using an MDM like Intune associated with Conditional Access feature to manage Outlook Mobile application. Refer to section Managing Outlook for iOS and Android in Exchange Online

  • Intune management works for accounts connected using Hybrid Modern Auth to on-premises servers. Indeed, that is one of its value propositions. All devices connected to a single Cloud Cache present the same ID to the on-premises server because they share the same physical storage in that Microsoft 365 "middle tier". Intune management doesn't work for accounts connecting via Basic auth to on-premises because the on-premises admin has little visibility into the Microsoft 365 identities involved.

  • A single on-premises user may have a single Microsoft 365 identity. He may have more than 1. That's because the Microsoft 365 identity is computed from the sign in name presented by the client user. This may be tim@contoso.com. It may be contoso.com/tim. Each can be used to control sign in to the on-premises server but there's no way inside Microsoft 365 to discover that these two different names represent the same on-premises user. As such, each will have a different Microsoft 365 identity, a different Microsoft 365 Cloud Cache and present a different device ID to the on-premises EAS server.