Using iOS Mail in Azure AD Hybrid Environment ActiveSync Disabled?

Hello!

IT Admin, here. Our company is using Azure AD - Hybrid. We use Modern Authentication - MFA for our users to sign in, and we've disabled ActiveSync, per Microsoft's security recommendations.

We have a few Apple users in our environment that would much prefer to stick with iOS Mail & Calendar, rather than use the Microsoft Outlook app. Since we aim to please, we have been attempting to connect our O365 accounts via iOS Mail, with no luck. The sign-in process is "Exchange" -> "Sign in using Microsoft" -> MFA prompt -> Apple Internet Accounts prompt -> "Exchange Account - Unable to verify information".

In Azure AD -> Enterprise Applications -> Apple Internet Accounts, everything looks peachy. If we look at an AD user's Login logs that has attempted to connect their email to their iPhone, we see three instances of Apple Internet Accounts; an "Interrupted", a "Failure", then a "Success", all within four seconds.

The descriptions are:

Status: Interrupted

Sign-in error code: 50058

Failure reason: Session information is not sufficient for single-sign-on.

Status: Failure

Sign-in error code: 50199

Failure reason: For security reasons, user confirmation is required for this request. Please repeat the request allowing user interaction.

Status: Success

We get the exact same behavior on iOS 13.7, iOS 14, and iOS 14.0.1. We tested one account with ActiveSync enabled, and that account connected without any problems.

Is it even possible? Can iOS Mail connect to an Exchange account without ActiveSync?

Thank you!

--Ryan C.

Posted on Oct 5, 2020 2:35 PM

Top-ranking reply

Ryconnection Author

Level 1

12 points

Posted on Oct 6, 2020 10:07 AM

It is not possible. In case anyone finds this page, looking for the same answers we were, here's Microsoft Support's response:

Hello Ryan,

Thank you for contacting Microsoft support.

From your verbatim, I understand that you have setup Modern authentication and your users make use of MFA however, they are not able to use the Apple mail app.

Ordinarily, Apple native mail app does not support Modern Authentication with MFA. However, the Outlook mobile app supports this and that's why your users are able to sign in using the app.

The Apple native app makes use of Legacy (Basic) authentication however, using Exchange ActiveSync would push the mobile app to a web based authentication which is the Modern Authentication.

Disabling the Exchange Active Sync would also make the native app rely solely on Legacy authentication which would not work with MFA enabled. You can disable IMAP and POP for your users as security recommendation but not ActiveSync if you want this to work.

Kindly let me know if you have further questions or concerns.

I look forward to your response.

Kind Regards,

C*********

Microsoft O365 Ambassador

View in context

Using iOS Mail in Azure AD Hybrid Environment ActiveSync Disabled?

Similar questions