Modern authentication with Microsoft Office 365

Secure Mail supports modern authentication with Microsoft Office 365 for Active Directory Federation Services (AD FS) or Identity Provider (IDP). Modern authentication is OAuth token-based authentication with user name and password. Secure Mail users with iOS devices can take advantage of certificate-based authentication when connecting to Office 365. When they sign on to Secure Mail, users authenticate by using a client certificate, instead of typing their credentials.

Before you proceed, do the following:

  1. Enable modern authentication (OAuth) for Microsoft Office 365.
  2. Enable Office 365 endpoints, URLS, and IP address ranges in your firewall to ensure optimum network connectivity. For details, see the Microsoft documentation on Office 365 URLs and IP address range.

Note:

Citrix Endpoint Management policy prerequisites

Enable the following policies in the Citrix Endpoint Management console:

For devices running iOS:

  • Office 365 authentication mechanism: Use this policy to indicate the OAuth mechanism used for authentication while configuring an account on Office 365. This policy has the following values that you must configure:

    • Do not use OAuth: Use this policy for basic authentication during account configuration.
    • Use OAuth with Username and Password: Use this policy for OAuth protocol during authentication. Users must provide their username and password and optionally a multifactor authentication code for the OAuth flow.
    • User OAuth with client Certificate: Use this policy if Office 365 is configured to perform certificate-based authentication. The default configuration is Do not use OAuth.

For devices running Android:

  • Use Modern authentication for O365: Use this policy for OAuth protocol during authentication.
  • Web SSO for tunneling policy: Use this policy to tunnel the OAuth traffic to go over Tunneled – Web SSO. To do so:
    • Set Use Web SSO for tunneling policy to On.
    • Select the Tunneled - Web SSO option in the Network access policy.

      Note:

      For information on enabling STA, see Connection to a mail server via the STA.

    • Exclude any hostnames related to OAuth from the Background services policy.

Policies common to iOS and Android devices:

  • Custom user agent for modern authentication: Use this policy to change the default user agent string for modern authentication.
  • Trusted Exchange Online Hostnames: Use this policy to define a list of trusted Exchange Online hostnames that use the OAuth mechanism for authentication while configuring an account. This is a comma-separated format, such as server.company.com, server.company.co.uk. This list can either contain a default value or vanity URLs, but cannot be empty. Default value is outlook.office365.com.
  • Trusted AD FS Hostnames: Use this policy to define a list of trusted AD FS hostnames for webpages where the password populates during Office 365 OAuth authentication. This is a comma-separated format, such as sts.companyname.com, sts.company.co.uk. If the list is empty, Secure Mail does not auto-populate passwords. Secure Mail matches the listed hostnames with the hostname of the webpage encountered during Office 365 authentication and checks if the page uses HTTPS protocol. For instance, when sts.company.com is a listed hostname and the user navigates to https://sts.company.com, Secure Mail populates the password, provided the page has a password field. The default value is login.microsoftonline.com.
  • Secure Mail Exchange Server: Use this policy to define the address of your Exchange Server. You can use this policy to define either the on-premise server address or the Cloud server address, based on your requirement.
  • Configure the HTTP 451 redirect: For more infomation on how to configure the redirects, see Knowledge Center article Secure Mail ActiveSync redirect 451.

Secure Mail for iOS is now enabled with modern authentication after the policies are refreshed on the device.

Limitations

  • If you are using modern authentication in your environment, the rich push notifications feature for iOS is not available. For details about rich push notifications, see Push notifications for Secure Mail.
  • Multiple accounts are not supported on setups running certificate-based authentication.

Secure Mail policies

The following two tables list the Secure Mail policies that are required based on your Exchange infrastructure:

Exchange Infrastructure Office 365 authentication mechanism/ Use Modern authentication for O365 Trusted AD FS Online Hostnames Trusted Exchange Online Hostnames
On-premises OFF NA NA
Hybrid* ON AD FS/IDP Outlook.office365.com or vanity URL
Exchange online ON AD FS/IDP Outlook.office365.com or vanity URL
Exchange Infrastructure Secure Mail Exchange Server Background network services (iOS) Background network services (Android)
On-premises Exchange on-premises Hostname On-premises On-premises
Hybrid* on-premises, Exchange online Hostnames On-premises, Exchange on-premises Hostname On-premises, Exchange on-premises Hostname, AD FS/IDP (Internal only)
Exchange online Outlook.office365.com Exchange Online Hostnames Exchange on-premises Hostname, AD FS, IDP

*Secure Mail supports a hybrid Exchange infrastructure with migrated mailboxes.

If on-premises users’ mailbox is migrated to Exchange online, Secure Mail automatically detects this change and prompts the users for modern authentication without the need for reconfiguring their account.

Secure Mail with OAuth support matrix

The following table lists the Secure Mail OAuth support matrix on iOS and Android devices:

Authentication type IDP/External AD FS IDP/Internal AD FS Azure AD Intune
User name and password Yes Yes Yes Yes
Client certificate Yes Android only No No
Modern authentication with Microsoft Office 365