Problem

Looking to force 2FA on mobile devices using the O365 mobile applications.

Solution

The full Outlook 2013 and 2016 clients support Microsoft's "Modern Authentication" which honors identity federation settings at the domain level and allows an IdP to fully control the login process. With Modern Authentication, first-time users in Outlook see a browser popup during account setup that displays your IdP's login screen and any 2FA requirements it enforces. The 2FA login is enforced through this window initially, but the Outlook client then caches this authentication for up to 90 days to prevents annoying pop-ups. 

Mobile App Specific

The use of a different protocol (ie. POP3, IMAP, etc) for mobile applications Does Not allow forcing 2FA.

1. The native mail clients on mobile devices use different protocols (e.g. POP3, IMAP, SMTP, EWS, ActiveSync) that do NOT support modern authentication. In these, there is no way to interact with the end user to prompt them for 2FA or allow them to enter an OTP. As such, there is no way for PortalGuard provide 2FA for these legacy protocols. Shutting off support for these protocols for the environment or specific users is the primary way of closing this security hole. Please note that doing so may have an impact on other Office365 services or an on-premises Exchange/hybrid environment. However, prepare for the inevitable HelpDesk calls from users who have already configured these if they're shut off.

2. In PG's Relying Party configuration for Office 365, you can uncheck the "Allow WS-Security Logons" checkbox on the WS-Fed tab but this is pretty far "downstream" and your PG server will continue to receive all that network traffic.

3. It may be possible for the IdP to utilize a true "out of band" second factor like a "push" to their mobile device that they accept or reject, but this is generally not cost effective for an entire organization.