Multi-factor authentication configuration for Core

The user should be capable of using multi-factor authentication by enabling multi-factor authentication setting on Azure.

To support multi-factor authentication in Sentry OAuth, you must configure one Sentry for OAuth and another Sentry for multi-factor authentication using Tunnel.

Sentry 9.14 and 9.15 supports Azure AD Conditional Access Policy.
For more information, see Configuring conditional access rules in Azure.

Configuring multi-factor authentication on Azure

Before you begin 

  • Verify that you have Sentry 9.15.0 and newer versions.


  1. Login to Azure portal with admin credentials.
    The admin must be a super admin with premium features to configure multi-factor authentication for other users.

  2. Click Users and search for the user to enable multi-factor authentication.

  3. Select Per-user MFA.
    The multi-factor authentication page opens to configure the user.

  4. Select the checkbox to enable the user.
    If multi-factor authentication is not enabled, the status of multi-factor authentication shows disabled.

  5. Select Enable in the menu on the right.

  6. Enabling the user displays a prompt to enable multi-factor authentication for the specific user.

  7. Click enable multi-factor auth.

    A confirmation message displays after enabling multi-factor authentication.

  8. The user OAuth status is now changed to Enabled.

Configuration of native email on Core for multi-factor authentication


  1. On one Sentry, configure OAuth. See OAuth for Sentry on Core.

  2. On a different Sentry, configure VPN on Core UEM.

    1. In Safari domain, add the required Microsoft domains and save the settings.



  3. On the second Sentry, configure the services for Ivanti Tunnel with Identity certificate. For more information, see "App Tunnel services" in the Standalone Sentry Guide.

  4. Configure Ivanti Tunnel application in Apps > App Catalog.

  5. Register the device with Office365 user.

  6. Download Ivanti Tunnel application from [email protected] and complete the device registration.
    The user is now redirected to Microsoft online to enter the password.

  7. Enter the password.
    The user is now prompted for MFA on the device.

  8. After selecting MFA option, authentication is successful and user is redirected back to the mailbox.

Configuring OAuth for Android Email+ through Sentry 2 on Core

Sentry 2 is a requirement with appconfig or Ivanti Tunnel for conditional access rules.


  1. Configure ANY service on Sentry 2 settings.

  2. Under Policies and Configs, add App ConnectApp Configuration.

  3. Enable App Connect policies.

  4. Edit App Config and configure Bundle ID for Email+.

  5. Enable Split Tunnel rules and configure URL wild cards.

  6. Configure KVPs and redirect to OAuth URL page.

  7. Configure Email+ Android.

  8. Configure the second Sentry hostname on Tunnel application.