Office 365 – iOS Mail and Gmail app not working with ADFS + Modern Authentication

We currently have an issue with our Office 365 email access from Apps that don't support Modern Authentication.

Our setup:

Office 365 – ADFS 3.0 federated domain
Modern Authentication – Enabled for Exchange Online
Azure Multi-factor Authtentication enforced for all users

This setup worked for us the last 6 months, but suddenly doesn't. I opened a case with Office 365 support and reached the identity team. At this point we are still investigating the issue with them and they are rebuilding our environment to troubleshoot the issue.

Waiting for their answer I'm hoping to find some answers here. We have Modern Authentication enabled so all new apps that support it redirect us via a webbrowser to enter MFA information. This works for all new apps including the Outlook App for Android and iOS for example.

I have users complaining about the App, and some of them want to use the default iOS and Android mail/calendars. Until 1 month ago we could ByPass Modern Authentication by creating a App Password within Azure Multi-factor Authentication: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#app-passwords

Test steps so far:

Without ADFS (cloud identity; username@example.onmicrosoft.com) -> Works.
So, it seemed to have something to do with ADFS and Modern Auth + MFA.
MFA disabled for federated domain -> Error. Mail apps show "wrong password".
I can't test with Modern Auth. disabled at this point as users will be prompted for credentials.

My conclusion so far is that Microsoft made a back-end change for Modern Authentication. It really feels like they enabled something that as soon as you enable Modern Authentication for your tenant you are ENFORCED/LIMITED to only use Apps that support Modern Auth.

In the past we were able to ByPass this with the App Passwords I mentioned earlier, and one day – about 1 month ago (without any changes on our end) all our users with Classic/Native (Basic Auth.) Apps were prompted for there passwords and it stopped working. Even with newly created App Passwords…

Microsoft is creating a similar environment for testing and they will start with capturing Fiddler traces to troubleshoot the issue. In the meantime…

Does anyone experience the same issues? Any ideas?

Best Answer

We ended up solving this issue by removing our domain federation with Office 365.

Of course we still wanted Single-sign On and Seemless logon so we replaced ADFS with:

With this in place instead of ADFS we managed to get the App Passwords working again. I'm confident that Microsoft changed something in the backend like I mentioned in the question... can't proof it, but somehow it doens't work anymore.

This is a good alternative.

Best Answer

Related Solutions

Azure ADConnect – authentication error re: Office 365, Azure

Office 365 ADFS authentication not working for child domains

Related Topic