Configuring iOS 12 for O365 Exchange using MFA (OAuth)
I have iOS 12 beta 6 installed, and Im using Apple Configurator 2.8 to generate a ActiveSync payload that contains the new OAuth 2.0 settings. The deployment and setup of the Exchange/ActiveSync profile is smooth and easy in iOS 12 as expected. The final end-user step is the GUI prompt to enter a MFA code (via SMS or the MS Authenticator app). Pretty much performs as expected too (other than a couple extra taps and 'hops' to the MS cloud). The problem I am experiencing is that Mail/Contacts/Calendar stop syncing after a couple hours of deployment. At this time, I see a generic "Failed to connect to server" error. There is no way to force a new session/token. No way to re-authenticate again (i.e.; no password field). All ActiveSync-based services stop working until the MDM profile is removed and re-deployed again. Rinse & repeat. I'm deploying the Apple .mobileconfig (XML) profile to my test iOS 12 devices via USB (Apple Configurator) and via Meraki MDM. Both yield the same results. The problem is not related to deployment. The problem clearly appears to be a session time-out or a token refresh failure. MFA (multi-factor authentication) works great on our Macs and Windows PCs (including Outlook 2016, Skype for Business, Outlook Webmail, etc). Both SMS and the Microsoft Authenticator app work fine for one-time passcodes too. No App Passwords are used in my environment (other than the initial App Password generated automatically by MS when an O365 account transitions from 'Enabled' to 'Enforced'. I have been able to reproduce this issue on multiple iOS devices running iOS 12 betas #5 and #6. I have rebuilt the MDM .mobileconfig profile numerous times (including creating it by hand in a text editor). Profile and payloads look perfect. I am digging into O365 server/tenant logs now, but I don't see anything interesting yet. Has anyone else experienced this issue? Any help or feedback is greatly appreciated.
FIDO2 Office 365 and Windows Hello For Business Sign-in?
I saw that this was in preview a year ago. https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/bg-p/Identity Is logging into Windows 10 Hybrid joined systems using FIDO security keys now working? What about signing into Office 365 desktop apps, mobile apps and web apps with FIDO security keys?
Add filters/ grouping to microsoft authenticator app accounts
Hello! Hope you are all well! I would like to see filters of personal/ Work and school accounts or by domain. Or even the ability to organise accounts manually into groups. Currently have a long list of personal accounts and work account.
Password-less authentication with using One-time passcode from Microsoft Authenticator App.
Recently one of my users was in Internet restricted zone and when he tried to sign-in with Password less method, He didn't get the code due to no internet in mobile and in addition to this, he forgot the user sign-in password. Is there any method or way to setup that we can be able to sign-in with using the 6-digit Microsoft Authenticator App Code instead of the push notification and password.
Authenticator Phone Sign-In for Office 365 Work Accounts?
I have the Microsoft Authenticator setup for both my personal Microsoft account and have been testing it with our new Office 365 work account that we just set up. My personal account was setup with Phone sign-in where instead of a password it shows you a selection of 3 numbers, you chose the one that is shown on the login window, use your pin/fingerprint and it signs you in without a password. My work one uses the traditional one where you enter your password and it then asks you to approve it on the mobile device. I noticed that I could set up Phone Sign-In for my work account in the authenticator app, after doing so it seems as if nothing has changed. It still asks me for the password everywhere, and gives me the traditional approve/deny message in the app. Am I doing something wrong? I didn't see any setting that seemed to allow or deny the use of phone sign in inside the exchange/azure admin panel settings. My account is already set to enabled for multi factor (or it wouldn't be working at all) and I can't seem to find any other information about this. I found a microsoft doc page that said it was possible and listed the steps for work or school accounts. I've done everything on the authenticator app side that it mentioned, but nothing has changed on the login side. Not inside the email web login or with logging into office apps, both work to prompt the newer phone sign-in when I use my personal credentials instead. Thanks!
Office 365 Mobile device management authentication
Hello, following scenario: User have Office 365 E1 and Azure AD P1 license. We have configured Office 365 "MDM", not the Intune MDM, only O365 MDM. We want, that only trusted mobile devices (iOS and Android) can access O365 data. For trusted devices, which are comliant, the user should not be asked for credentials every XX days. Is it possible configure this without MS Intune? At the moment user is asked every 14 days for credentials. Can we use Azure AD Conditional Access with O365 MDM? Regards MarcAuthentication with ADAL using managed Mobile devices
Hi everybody, I am facing a very strange authentication problem in my app. To get a valid adal token I use the adaljs library, which works fine. I get a valid token and can connect to my Azure AppService. The app that runs in the Azure AppService then uses my adal token to get a new token. I create a UserAssertion object from the token I got from Javascript adaljs. I need to do this, because otherwise I could not connect to SharePoint Online without getting a 401 unauthorized. The code works perfectly fine for desktop browsers but does fail when I try to access my AppService with a mobile device and a adfs managed user. Using a "cloud only" user works fine, but whenever I try to use a user which gets synced from my AD I get the following error when trying to get the second token: AADSTS50131: Your device is required to be managed to access this resource. The problem here is that the device is definitely managed. When I add an exception for this user in intune, I can access the App via the mobile device. Has anybody a clue what could be the problem here? Any help would be appreciated. Thanks in advance, Alex
