How to Configure O365 Outlook Mail App or Native Mail App on iPhone for Users with Passwordless Login with FIDO2 Security Keys

Unfortunately, FIDO2 security keys are not directly supported on iPhones to log in to Microsoft 365 accounts (even though the operating system itself fully supports it starting from iOS 14.0). Therefore, this tutorial will guide you through the process of setting up MS Authenticator, a mobile app that supports FIDO2 security keys, to authenticate your login credentials to access your Microsoft 365 account on your iPhone's Outlook Mail app or native Mail app.


Update [June-2023]
Azure AD (Microsoft Entra ID) Now Supports FIDO2 Security Keys on Safari on iOS, so you can use Outlook on the web (OWA) as well

Requirements:

  • An Azure AD (Microsoft Entra ID) account with no other authentication methods set
  • iPhone device with MS Authenticator and Outlook (optional) apps installed
  • Access to a desktop machine where FIDO2 keys will be used to log in and authenticate

Step 1. Configure MS Authenticator

On your iPhone:
  • Install MS Authenticator app from the App Store and launch it.
  • Add your account to MS Authenticator and choose the "Work or school account" option
  • Choose the "Sign in" option when prompted (not "Scan QR code")
  • When the app prompts you to enter your username, choose "Sign-in options" instead
  • In the next window, choose "Sign in from another device". This will show you a code that you will use to confirm login on your desktop device
On your desktop machine:
  • Open your browser and navigate to http://microsoft.com/devicelogin.
  • Enter the code displayed on the MS Authenticator app and click on Next
  • Log in to your account, or choose an account if already logged in
  • The system will ask "Are you trying to sign in to Microsoft Authentication Broker?". Click on continue to confirm the operation
  • This will confirm login, and the MS Authenticator app on your iPhone will have the account confirmed and created.
Update [16/12/2023]

Microsoft recently unveiled a groundbreaking feature, allowing users to leverage their FIDO2 key directly.

This announcement highlights a pivotal development in authentication methods:
"users who have Microsoft Authenticator installed on iOS or Microsoft Intune Company Portal installed on macOS can sign in to Microsoft applications using a FIDO2 security key"

On your iPhone:
  • Once the login is confirmed, the app will ask to configure signing in with the phone. Click on "Continue" when prompted
  • On the "Register this device to continue" window, click on "Register" button
  • Choose whether you want to allow notifications from the MS Authenticator app
  • When you see the "Account Added" window, click on "Finish". MS Authenticator will be configured, and your account has been added to your iPhone

Step 2(a). Configure Outlook App on Your iPhone

At this stage, Outlook should already have the account previously configured, ready to be used. The account should appear when you first launch the app.

Continue by clicking "Add Account" and following the steps below if you don't see the account appearing immediately.
  • Open Outlook app and enter your email address, then click "Sign In"
  • On the next step, Outlook will ask you to complete the process using the MS Authenticator app.
  • Confirm the action on the Authenticator app if prompted.
  • This should complete the process, and Outlook will start downloading your email messages immediately.



Step 2(b). Configuring Native Mail App on iPhone

If you have successfully completed the MS Authenticator installation described on Step 1, you can also choose to use the native Mail app on your iPhone instead of Outlook. Follow the steps below to complete the Native Mail app configuration:
  • Go to 'Settings', then choose 'Passwords and Accounts' and 'Add Account'
  • On the 'Add Account' window, choose 'Microsoft Exchange'
  • Enter your email address (and optionally a description of the account), and click Next
  • When prompted, choose  'Sign in' (instead of 'Configure Manually')
  • If the window asks for your password (which you no longer have), choose 'User an app instead'
  • Complete the MS Authenticator prompt (click 'Allow', or enter the code shown on the screen and click 'Yes')

  • This should complete the process, click 'Save' to start downloading your emails
In conclusion, configuring the Outlook Mail app or native Mail app on your iPhone for passwordless login with FIDO2 security keys might seem daunting at first, but by following these simple steps, you can have a secure and convenient way to access your Microsoft 365 account on the go.