IOS mail profiles and conditional access


The current mail profile we push to our IOS phones is still username/password and oauth disabled.


I also have a CA policy to block legacy authentication by blocking exchange activesync client and other clients in the policy.


does our mail profile settings still fall under the legacy protocol standpoint? do I need to move to oauth to move into a modern authentication?


Has anyone moved from non oauth to oauth for their ios mail profiles. can I just make the change in the profile and it will cleanly update on the phone and just prompt the user to log into the oauth and everything else would carry on?

4 Replies

If you want to be sure for your self, take Configure conditional access rule to audit and take a look at the sign in logs from Filter on client app.

When you enable Oauth in the mail profile, users will be prompted to reenter their password. But why not moving to Outlook?

Thanks I did find that our current mail profile does show up as activesync... I figured it was.

We aren't moving to outlook because change is hard :) I'd prefer to use it, but its a big change and getting contacts to work well on the iphone is not the best still. You can get the outlook contacts to show in the iphone contacts app. But you can sync back, if I create a contact in the iphone contacts it doesn't sync back to outlook then back to exchange.
Hello Jason,
you can make the transition smoother with an App configuration policy to pre-configure the Outlook App for the user, so he/she only has to enter the password on first start.

When the configuration policy is in place, you can push the Outlook app through company portal app. Just add it to the iOS Apps in Endpoint Manager and set the assignment to "required" to all users or a group.

With these two steps can easily deploy Outlook side by side with the native Mail app and witch to ModernAuth.

Contacts can be an issue for some people (I have some of them in my org too) but with proper training they will get used to it and maintain their contacts in Outlook.

Just like tech_mike is telling. Contacts can be an issue indeed, but it's up to us/you to let them adopt Outlook instead of the native app. The next step to take would be to require approved apps or app protection and you will need to have outlook for this