macOS mail.app and Office 365 Exchange online with Duo 2FA

DirkM · 2018-02-22 19:20:17 UTC

Greetings, everybody.

My company is planning to rollout Office 365 with Duo 2FA and once activated, macOS Mail.app can no longer access Office 365 Exchange online because it doesn’t support oauth2. If we would be using Microsoft Azure 2FA the we could create an application specific password to allow mail.app to access Office 365 (https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon/accessing-exchange-365-account-with-apple-mail-app/9c78109e-77da-4491-a1e4-8ca62b5a6095). However, this option does not exist in our Office 365 settings because we are using Duo 2FA.

Do our Macintosh users have to wait for Apple to add oauth2 to mail.app like they did with iOS 11 mail or is there a trick in Duo to allow Macintosh users to use the macOS mail.app with Office 365 Exchange and Duo 2FA?

Thanks,
Dirk

DuoKristina · 2018-02-23 21:55:53 UTC

How are you implementing Duo? If you are using the Duo Access Gateway, we don’t have application specific password functionality but we do have a way to permit basic authentication for client applications that don’t support modern auth. That option is described here.

If you are using AD FS with O365 then you can craft an additional authentication rule for the Office 365 relying party to exclude basic auth clients from MFA (or apply MFA only to web endpoints like oauth2). We have a guide to advanced AD FS MFA configuration here.

If you are using Duo’s custom control for Azure conditional access, unfortunately there is not yet a solution from Microsoft for applying these controls to clients that don’t support Modern Authentication.

Thanks for trying Duo!