Outlook Mobile no longer authenticating with modern auth

ConsequenceWestern97 20 Reputation points
2024-10-22T15:45:27.7866667+00:00

As of this week, modern auth on the Outlook mobile app (on iOS and Android) is no longer authenticating with modern authentication to an Exchange 2019 server which is configured with hybrid modern authentication.

This was previously configured and has been working for about a month without issue. It was configured based on this guide: https://video2.skills-academy.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide

The native mail app on iOS does not appear to have issues authenticating with modern auth. Additionally, OWA, MAPI, ECP and other Exchange services which use modern auth are still able to authenticate.

Using the Microsoft Connectivity Analyzer, Outlook Mobile Hybrid Modern Authentication Test, I receive the following error message on the "Analyzing the services listed for the user on the Outlook Mobile Autodetect endpoint." step:

We didn't find the Microsoft 365 service in the response from Autodetect. The user may not be synchronized to Microsoft 365.

I can confirm that the users are fully synchronized into Microsoft 365/Entra ID.

I'm looking for suggestions on items to check or any news of issues from Microsoft's side regarding the authentication flow through their systems.

This must be resolved promptly to complete migration to modern auth and improve security of our environment by removing basic authentication.

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,335 questions
Outlook
Outlook
A family of Microsoft email and calendar products.
3,985 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,662 questions
Microsoft Exchange
Microsoft Exchange
Microsoft messaging and collaboration software.
561 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,132 questions

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. belkacem Saidi 1 Reputation point
    2024-10-26T20:52:43.9966667+00:00

    We’re facing the same problem with Outlook mobile for Android (not tested on iOS) connected to Exchange on-premises (2019). The problem began on October 24, 2024, the only thing different in my scenario, is that we've one user can still login and logout whenever he wants, and he receive emails on the outlook android app.

    This problem, is really making a disaster, because all uses use that app.

    0 comments
  2. M. Styczynski 0 Reputation points
    2024-10-26T21:13:05.82+00:00

    Same here ...issue only with outlook app (ios & droid).

    All other tested worked (outlook windows, apple Mail & Gmail)

    0 comments
  3. ConsequenceWestern97 20 Reputation points
    2024-11-05T15:44:48.1566667+00:00

    @Bruce Jing-MSFT I have discovered that the AutoDetect service was the core of the problem, but not in the way I would expect.

    The AutoDetect service is used by the Outlook Mobile app to act as the "AutoDiscover of AutoDiscover's". Which means that instead of the app connecting directly to the AutoDiscover URL of the Exchange server (as has been the case for most of Exchange's history, and is still the case for the iOS Mail app), the AutoDetect service does this and relays the information to the app.

    This means that if the AutoDetect service cannot reach the AutoDiscover service on the Exchange server, it will time out and fail. Which is exactly the issue I observed.

    The AutoDetect service is hosted on an Azure instance in the East coast, and therefore utilizes a public IP address within a much larger block of Azure IP addresses. The problem is that sometime in mid October 2024, Fortinet added many of these IPs to their Malicious-Malicious.Server address list. Adding VPS host public IPs to bad IP lists is quite common these days because anyone can pay for a public VPS and start using it for nefarious purposes. Azure is no exception. Unfortunately the specific IP address used by AutoDetect got wrapped up in the block of bad neighbor IPs.

    Once I created a firewall exception for the AutoDetect IP, the app redirected to Modern Auth within seconds.

    It would be nice if the Azure team did a better job of keeping bad actors out to ensure their IP block don't get blocked for the legitimate services. Or if the Outlook Mobile team hosted the AutoDetect service under a block of IPs not shared with other VPS customers. That would save everyone a lot of trouble.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.