MobileIron Technical Guide: Secure Authentication To Office 365 On MobileIron Core

Please find below a new technical guide from MobileIron on configuring Microsoft Office365 services certificate based authentication and more!

As more enterprises make the move to Office 365 services, enabling secure authentication to your devices secured by MobileIron should be a top priority.

In the Office 365 suite, there are many different services that require setup prior to configuring your MobileIron secured devices with secure authentication.

In this guide, we'll walk through such technologies as iOS SSO, Office 365 cert-based authentication(CBA), and Azure AD enrollment for Windows 10 to secure Office 365 across iOS, Android, MacOS and Windows 10.

This guide assumes that the organization has solved device and application compliance with MobileIron Access previously.

This is the first guide of a two part series.

The second guide walks through enabling application and data loss protection policies across their devices secured by MobileIron to access Office 365 services.


The annual MobileIron Live Conference for 2017 in San Francisco just finished and each year provides very high technical detail of presentation documents which you can find below

You can also find all documents and videos for the MFC 2017 on the MobileIron Community site Documents

FYI, you can perform cert based auth directly from device for ActiveSync to Office365 without the requirement for an ADFS Server

All you need to do is upload the Root CA Certificate (and intermediate if you have 2 CA Servers) into

Windows Powershell and run as administrator
Type “Install-module azuread” and hit enter, then Y and A
Type “Connect-AzureAD” and hit enter
Type “Get-AzureADTrustedCertificateAuthority” and hit enter (should be no results as you have not added Root Certs yet
Type $cert=Get-Content -Encoding byte " C:\Temp\LocalCA.cer ” (.cer file location of Root CA Cert)
Type “$new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation”
Type “$new_ca.AuthorityType=0”
Type “$new_ca.TrustedCertificate=$cert”
Type $new_ca. crlDistributionPoint = “
Type “New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca”
Type “Get-AzureADTrustedCertificateAuthority” and hit enter (should be the Root Cert you just uploaded)
You can now create a user/device certificate with the users Email Address in the Subject and Subject Alternative Name to use for authentication for ActiveSync email to “

Cert based auth for ActiveSync won’t work if you enable MFA for the user in the MFA portal

You will need to create a conditional access policy with the following attributes to still enforce MFA requirement for all other services/applications except ActiveSync

Include users in the scope of your test
Include all cloud apps
Include any location. Note that here is where you can exclude an IP whitelist created in the MFA portal by clicking on the exclude tab and selecting ‘MFA Trusted IPs’

Access controls:
Grant access
Require multi-factor authentication

What this accomplishes is:

If an application identifies itself as supporting modern authentication… we will require MFA.
If an application does not identify itself as supporting modern authentication… we will not require MFA.

It should be noted again that this approach is less secure and would also allow other legacy clients such as older versions of Outlook (prior to 2016) to bypass MFA