iOS native mail app, OAuth and Conditional access

Posted on by vanyurikhin

On week of November 5th Microsoft released new functionality in iOS email configuration – Support for iOS 12 OAuth in iOS email profiles.

Why it is important?

Because before you had no option to enforce Modern authentication to iOS native mail app, which is still more preffered by any customers, and you had only option to move everyone to Outlook Mobile (great app, but quite difficult to change people behavior, because they just used to native mail app).

On top of that, without modern authentication native iOS mail app is not supporting Conditional access policy. Actually i found that it can force device enrollment, but no actions based on compliance is going to work. You will just see that policy is “Not applied” in AAD sign-in logs.

ca_logs
How it looks like in AAD sing-in logs

How to enable Oauth?

From admin side, you just need to toogle one switch in existent profile (if you have one).

profile_settings
Mail profile settings

After that, users targeted to this profile will get a pop-up message asking them to re-enter password.

Now app permission request will be shown. App name is “iOS Accounts”. This app will be created automatically in your tenant after any user from your tenant will go through this stage.
As with any other applications, you actually have two options for how to proceed with required permissions:
– Wait for every user to give this permission during initial configuration.
– With GA access you can give required permission on behalf of your organization so users won’t see that message.

By click on “Re-enter” password user will be guided to standard  AAD authentication window and will go through MFA (I hope it’s enabled for you). 

After succesfull sign-in user will start using native iOS mail account with OAuth 2.0.

So, now you can apply Conditional Access policy for them.
To test that, i create test policy (Exchange Online as targeted app) and applied to myself together with complaiance policy which marked my device as Not Compliant.

After policy was applied to my device, iOS native mail application asked to re-enter password and during authentication step i got the following.

Interesting to see that CA policy was targeted to Exchange Online, but Sign-In logs in AAD is showing the “iOS Account” app. So, keep that in mind.

I do recommend you to enforce OAuth 2.0 if you are using iOS native mail client in your organization , however it will be way better to migrate to Outlook Mobile client, considering the value of App Protection policies and good things around MS apps integration

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s