MDM mail profile management, no duplicate password prompt/remove app password requirement
When a mobile device (specifically iPhones tested at this point) is enrolled into 365 MDM, you have the option to control the mail profile on the device.
When this option is ticked, after enrolling the device through the company portal app, we would expect the mail profile to be complete and require no further interaction from the users.
This however, is not the case, and the user is prompted for a password from the native mail app on the phone.
When MFA is not enabled on the account, the standard account password works.
When MFA is enabled on the account, you MUST use an app password.
As the native mail app supports the modern sign in process, I am confused as to;
A. why the user is prompted for a password at all, considering the profile has been setup for them, and they have already completed authentication (Outlook for iOS does not generate additional prompts after enrollment)
B. Why an app password is required again seeing as how the native mail app supports modern sign in and would expect it to simply provide an MFA challange to accept as a worst case
If enrollment is not required for the device, and a user adds the account to the phone manually, they get modern sign in experience and are only challanged to authenticate once, regardless of MFA status.
The app works with and supports MFA and modern sign in.
I would like to see this additional password prompt removed, as we frequently have profile issues that require a user to remove the profile and re-add it, meaning the prompt for another app password every time this is done is a very poor user experience.
Hi, James, I see your comment. I sent you mail out of band using the UserVoice “contact subscribers” feature, but that doesn’t show up in the conversation on the public site. But if you’re having problems reading that mail, here’s what I said:
Have you already opened a support case on this? If so, can you reply to this mail with the support case number so I can look at the case notes? If you haven’t opened a case, that’s what I’m going to suggest next, so they can look into what’s happening.
Chris McGhan commented
Same thing here. I just switched to iPhone and can't get into my account?!
The profile created by Company Portal isn't checking that 2FA is turned on and trigger Modern Authentication.
David Huther commented
I'm also curious to hear if there are any developments on this. This has been standard across our company in both iOS and Galaxy devices. We have to walk users through app password creation for every mobile device they get.
At a minimum, the Company Portal app should be able to create an app password and use it when setting up the email profile, but it doesn't even do that. If the mail apps should be able to use modern auth, I don't know why we're doing all this extra work.
Would really appreciate some streamlining of this process.
Is there any update on this? I’ve searched for 3 weeks trying to figure out what I’m doing wrong. MS support is no help after at least 8 hours of troubleshooting- and it seems they can’t even understand what I’m asking. They’ve had me create new test users and I’ve went through at least 20 device wipes as they requested. Why is native iOS mail app requiring the additional password prompt? Even when this is performed, with MFA enabled, you have to select “do not ask again for 60 days” despite the device being registered & supervised with Intune and policies applied for SSO. Why can’t Microsoft get this right? So the other option is using conditional access policies which is essentially useless as it 1) breaks app passwords (can’t be used with azure conditional access) and 2) IPv6 traffic completely bypasses all Conditional access (another gripe all on its own), despite 2 years of user voice feedback to fix this!
This should be very straight forward - iOS supports OAuth and Intune supports Email Profiles and SSO settings.
Microsoft’s keeps stating how its dedicated to a passwordless enterprise but stuff like this demonstrates quite the contrary.
And why Sys admins can’t ever get answers, even with expensive paid support, is beyond believable.
So, what options are there with this issue and when will it be resolved?
We still have this exact same issue, has there been a resolution for this?
Robin Makkus commented
I can confirm, that app-password does work for the native iOS application.
Robin Makkus commented
I seem to be having the same issues. We have MFA for about 6 months now. Now deploying MDM to a couple of test users. Android users have no troubles (using Outlook app) but users using the native iOS application do run into multiple password prompts. I haven't tried an app-password yet but this is strange behaviour, especially when the iOS native app accepts modern authentication.
James Edmonds commented
Hi Cathy, I saw the e-mail, but was unclear on how to actually reply to you.
In any case, we did open a support case, and after some time with an engineer testing our same scenario they found they got the same behaviour and that there was nothing that could be done to prevent it.
Ticket number was 118030117734696
My gripe with this, is that the native mail app on iPhone support modern auth and MFA.
We would expect the MDM profile setup to COMPLETELY handle the mail profile, and therefore complete authentication for us.
It does not do this, meaning users are required to sign in an additional time, and they cannot use the same modern sign in process they are used to, and have to switch to an app password.
James Edmonds commented
I have received an e-mail to say I received a reply, but cannot see any comments. Are you able to see this comment? Thanks.