Share via

Exchange 2019 CU15 On-Prem + ADFS: Outlook for iOS/Android ActiveSync fails with OAuth/MFA

Aleksandr Aleksandr 45 Reputation points
2026-06-23T08:31:48.23+00:00

Hey !

I'm deep into an ADFS integration project for a pure on-premises Exchange 2019 CU15 environment and have hit a wall with ActiveSync and mobile devices. I'm hoping someone here has either a silver bullet or can confirm my suspicion that this is an architectural dead-end.

I have Exchange 2019 CU15 servers with DAG and right now ADFS configured for Modern Auth with Exchange according to this article: https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/enable-modern-auth-in-exchange-server-on-premises

Also I created policies which are blocking Legacy Auth ActiveSync, but arent blocking Modern Auth ActiveSync.

This problem is only seen with ActiveSync with Outlook for iOS, Outlook for Android, Gmail (Android), but Gmail (IOS) and the stock iOS Mail app connect successfully. They trigger the ADFS login page, handle the MFA challenge, and sync without issues.

Android (Gmail app, Nine, Aqua Mail and etc) always fails to connect with 401 code (Unauthorized response)

My Diagnosis:

It seems the Android clients are unable to initiate or handle the OAuth 2.0 flow via ADFS for ActiveSync. The server, as seen in the connectivity test, is still offering Basic auth as the primary method for ActiveSync connections, which our strict policies correctly block. This creates a loop where the client doesn't know how to proceed to OAuth.

I understand that Hybrid Modern Authentication (HMA) with Microsoft 365 would solve this, but that's not an option for us. We need to keep everything on-prem.

Is it true that in a pure on-premises environment without HMA, Outlook for Android (and other Android clients) simply cannot use OAuth for ActiveSync?

Has anyone successfully made this work in a pure on-premises 2019 environment? If so, what was the missing piece?

Thanks in advance for any help you can offer!

Exchange | Exchange Server | Other
Exchange | Exchange Server | Other

A robust email, calendaring, and collaboration platform developed by Microsoft, designed for enterprise-level communication and data management.Miscellaneous topics that do not fit into specific categories.

0 comments No comments

Answer accepted by question author

Michelle-N 18,605 Reputation points Microsoft External Staff Moderator
2026-06-23T10:20:12.6633333+00:00

Hi @Aleksandr Aleksandr

Based on the highly detailed technical breakdown you provided, I completely understand the wall you have hit. You are working on a pure on-premises Exchange 2019 CU15 environment utilizing ADFS for Modern Authentication (acting as the Secure Token Service or STS) and have implemented strict authentication policies to block Legacy Authentication for Exchange ActiveSync (EAS). The issue is a clear split in client behavior: native Apple iOS Mail and Gmail on iOS handle the OAuth 2.0/ADFS web-view redirect and MFA seamlessly, whereas Outlook for iOS/Android, Gmail on Android, and other Android-based EAS clients consistently fail with 401 Unauthorized responses due to a fallback to Basic Authentication.

Based on my research, you have run into a documented architectural of the Outlook mobile architecture in pure on-premises setups. Exchange 2019 (starting from CU13+) natively supports pure on-premises Modern Authentication using ADFS for desktop clients.

Outlook for iOS and Android does not connect directly to your on-premises Exchange server the way standard mail clients do. Instead, it relies on a Microsoft 365/Exchange Online cloud-backed architecture where the Microsoft Cloud acts as a middle tier, handles the protocol translation, and caches data.

Because of this architecture, Outlook Mobile natively expects Hybrid Modern Authentication (HMA). In a pure on-premises environment without HMA, the Outlook Mobile client fails to properly initiate the OAuth 2.0 flow over ActiveSync with a local ADFS server and immediately drops back to Basic Authentication. Because your strict policies block Basic Auth, the connection fails with a 401 error. The native iOS Mail app uses a standard, direct device-to-server connection. Apple has fully implemented the OAuth 2.0 framework alongside ADFS for the ActiveSync protocol directly within the OS, allowing it to successfully fetch the token and bypass the Basic Auth block.

Since migrating to HMA or incorporating Microsoft 365 components is strictly off the table due to your organizational compliance requirements, you have a few practical mitigation strategies:

Option 1: Restrictive Basic Auth Exception Policies

If you absolutely must support Outlook Mobile or Android users on-premises, you will have to allow Basic Authentication for ActiveSync, but you can heavily restrict it to mitigate security risks. Instead of a blanket allowance, you can use Exchange Organization Settings or Client Access Rules to:

  • Allow Basic Auth only for the ActiveSync protocol while keeping MAPI/HTTP, EWS, OAB, and Remote PowerShell strictly locked down under Modern Auth/ADFS. This still achieves the vast majority of your security goals.
  • Scope the Basic Auth allowance exclusively to specific user groups or specific ActiveSync device types/IDs.

Option 2: Standardize on Compatible Native Clients

Since native iOS Mail handles the local ADFS flow perfectly, you could establish an internal policy requiring iOS users to use the native Mail app. For Android users, you would need to evaluate specific third-party enterprise clients that support direct ADFS OAuth authentication over EAS without cloud relays, or leverage a Mobile Device Management (MDM) solution to securely proxy the authentication.

To deep-dive into exactly how the architecture differs and why the Microsoft cloud component is mandatory for Outlook mobile authentication, I recommend reviewing this official technical documentation:

Please let me know how you decide to adapt your authentication policies based on these constraints.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click ""Comment"".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.