Modern authentication for native mail
We need to be able to configure email profiles with modern authentication. It is supported now by iOS but not by Intune. This problem is making an MFA rollout to existing email profiles very difficult and leaving gaps in our ability to retire native emails when employees have to configure their own exchange profiles.
Outlook is great and all but conditional access doesn’t prevent the native client from being used.
As @Robert suggested, I will merge “IOS email profile does not support MFA” into this one.
Also, when I asked the PM, he said “Conditional Access does have the ability to require Outlook only. They call it app access.” So check that out. :-)
James Read commented
This looks like it has been completed for iOS native mail app
Tony, thanks for posting the update. You are absolutely right they literally must have added it hours before your post as we were looking for that button earlier last week. MS should be blasting this news as it is a major win for them!
2FA works with MDM now!
Tony Newport commented
It appears this has been added. I now have a setting entry in my Intune Email Device Configuration Policy named, "OAuth". When enabled and pushed to an iOS 12 iPhone, the native client redirected to settings, which redirected to modern auth sign in. A little clunky, but works!
We are using Conditional Access to require 95% of our users to Outlook mobile. But for those users that we must offer the native iOS mail profile to, we want to be able to deliver it using modern authentication (which will prompt for MFA if that requirement is there) using Intune MDM. My understanding is when Apple shipped iOS 11 modern auth support was added, but not the ability to push a profile using it. But with iOS 12 that support was added, and other MDMs have shipped that capability already, but Intune has not. iOS 12 shipped in mid-September - what is holding up offering a switch in deploying a mail profile for this?
Robert Anderson commented
Can this request be consolidated with "IOS email profile does not support MFA" to bump up the votes a little?
Sadly Oct 22 release of Intune did not add this support. Come on Microsoft! Can't kill basic auth until we can push modern auth as the iOS mail profile. (Moving most users to Outlook mobile but still need to support iOS mail as well for some users!)
Microsoft is previewing the blocking of basic authentication and Intune MDM doesn't support modern authentication via device configuration. Once Microsoft moves this security policy out of preview mode, it will block many devices.
Really, really need this. The support is apparently in iOS 12 (as per others below and as per other MDM vendors) - please get this supported added to Intune ASAP to push a mail profile that requires modern authentication/OAuth.
This is delaying our rollout of Intune and Exchange Online. Fully expected this to be supported when iOS 12 hit. can anyone comment on a timeline for support via profiles?
While we are at it, will support for switching email profiles without re-enrollment get fixed. currently in testing a user that has an on-prem mail profile gets moved to 0365 and their group-based profile changes, they are stuck with the on-prem mail profile.
This is set to rollout with Intune in the next week or two :)
James Read commented
This is a much needed feature.
Anthony DiSarro commented
iOS 12 supports this via MDM, your move Intune :)
Peter Selch Dahl commented
We really need this feature today.... Especially with the introduction of legacy authentication block and support for modern authentication in the Native Mail on iOS.
/Peter Selch Dahl
+1 who is desperate for this!
we found that : https://docs.microsoft.com/en-us/intune/email-settings-ios
Authentication method - Select either Username and Password or Certificates as the authentication method used by the email profile (Note: Azure Multi-factor authentication (MFA)is not supported).
and now in IOS11, the native apps support MFA. But the email profile does not support MFA.
We need email profile to support MFA with IOS native mail app.
Most of my Customers are looking for this feature. Plesae help us in getting this features enabled.
Agreed. We've got over 1000 users in our environment and auditors are inching us closer to requiring MFA on mobile devices. Current capabilities limit us to having to direct people to use app passwords, and that's a nonstarter. I'd love to be able to tell people to just switch over and use the Outlook app, but politics prevent that. Really hoping that this gets figured out/implemented soon.
Yep, just got snagged by this as well.....
Dmitriy Ilyin commented
Hybrid Exchange 2013 CU20 + HMA
Autodiscover point to OnPrem.
Clients iOS 11.0+ devices with native mail client.
Planing Enterprise Mobility E3 users ~ 300
ATM (05/2018) the only way to have HMAuth on iOS native mail client is to configure (create) email profile manually using Sing in button.
It will be great to allow deliver such email profiles (that allow configure email based on HMA) from Intune to iPhones that minimize user inputs.
Matt Dixon commented
Was there a solution to this issue? Did you ever find a way to force Modern Auth on the native IOS app?