A robust email, calendaring, and collaboration platform developed by Microsoft, designed for enterprise-level communication and data management.Miscellaneous topics that do not fit into specific categories.
Based on the highly detailed technical breakdown you provided, I completely understand the wall you have hit. You are working on a pure on-premises Exchange 2019 CU15 environment utilizing ADFS for Modern Authentication (acting as the Secure Token Service or STS) and have implemented strict authentication policies to block Legacy Authentication for Exchange ActiveSync (EAS). The issue is a clear split in client behavior: native Apple iOS Mail and Gmail on iOS handle the OAuth 2.0/ADFS web-view redirect and MFA seamlessly, whereas Outlook for iOS/Android, Gmail on Android, and other Android-based EAS clients consistently fail with 401 Unauthorized responses due to a fallback to Basic Authentication.
Based on my research, you have run into a documented architectural of the Outlook mobile architecture in pure on-premises setups. Exchange 2019 (starting from CU13+) natively supports pure on-premises Modern Authentication using ADFS for desktop clients.
Outlook for iOS and Android does not connect directly to your on-premises Exchange server the way standard mail clients do. Instead, it relies on a Microsoft 365/Exchange Online cloud-backed architecture where the Microsoft Cloud acts as a middle tier, handles the protocol translation, and caches data.
Because of this architecture, Outlook Mobile natively expects Hybrid Modern Authentication (HMA). In a pure on-premises environment without HMA, the Outlook Mobile client fails to properly initiate the OAuth 2.0 flow over ActiveSync with a local ADFS server and immediately drops back to Basic Authentication. Because your strict policies block Basic Auth, the connection fails with a 401 error. The native iOS Mail app uses a standard, direct device-to-server connection. Apple has fully implemented the OAuth 2.0 framework alongside ADFS for the ActiveSync protocol directly within the OS, allowing it to successfully fetch the token and bypass the Basic Auth block.
Since migrating to HMA or incorporating Microsoft 365 components is strictly off the table due to your organizational compliance requirements, you have a few practical mitigation strategies:
Option 1: Restrictive Basic Auth Exception Policies
If you absolutely must support Outlook Mobile or Android users on-premises, you will have to allow Basic Authentication for ActiveSync, but you can heavily restrict it to mitigate security risks. Instead of a blanket allowance, you can use Exchange Organization Settings or Client Access Rules to:
- Allow Basic Auth only for the ActiveSync protocol while keeping MAPI/HTTP, EWS, OAB, and Remote PowerShell strictly locked down under Modern Auth/ADFS. This still achieves the vast majority of your security goals.
- Scope the Basic Auth allowance exclusively to specific user groups or specific ActiveSync device types/IDs.
Option 2: Standardize on Compatible Native Clients
Since native iOS Mail handles the local ADFS flow perfectly, you could establish an internal policy requiring iOS users to use the native Mail app. For Android users, you would need to evaluate specific third-party enterprise clients that support direct ADFS OAuth authentication over EAS without cloud relays, or leverage a Mobile Device Management (MDM) solution to securely proxy the authentication.
To deep-dive into exactly how the architecture differs and why the Microsoft cloud component is mandatory for Outlook mobile authentication, I recommend reviewing this official technical documentation:
Please let me know how you decide to adapt your authentication policies based on these constraints.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click ""Comment"".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.