Monday, November 5, 2018

Policy that prevents you from granting iOS Accounts the permissions

I was configuring an iPhone to access a Microsoft 365 Business tenant and when I attempted to add email to the native iOS email client I received the following error.

image

An administrator of Contoso has set a policy that prevents you from granting iOS Accounts the permissions it is requesting.

If I then closed that error message I was presented with:

image

Strange, haven’t seen this one before.

Turns out that one of the best practice recommendations I use on tenants is to disable users being able to Outlook plugins which I detailed here:

Thwarting the ransomware cloud

The down side to preventing this is that it also prevents iOS adding an Office 365 email account when you have modern authentication enabled, which again is best practice.

So, to allow iOS to add an Office 365 email account in the native iOS app you’ll need to allow users to “consent to apps accessing company data”.

There are two methods to achieve this. You can firstly go to the Azure Portal as an administrator, locate Azure AD | Users | User settings as shown below:

image

Then select the hyperlink Manage how end users launch and view their applications as shown above.

image

From here, set the option Users can consent to apps accessing company data on their behalf to Yes and Save the change.

The second method is to use PowerShell with the command:

set-MsolCompanysettings -UsersPermissionToUserConsentToAppEnabled $true

Remember, that enabling this option will also allow users to potentially accept malicious add-ins in their application like Outlook so you should disable it once your iOS devices have been configured.

It would be nice if there was a policy that could be configured to change this setting just for iOS, but alas that currently isn’t the case that I can see. You’ll therefore need to go through this disable-enable-disable sequence to maintain best practices and allow iOS devices to be added to your environment.