Forum Discussion
Not being prompted for MFA on Outlook 365 desktop, even with Modern Auth enabled?
Modern auth needs to be enabled server-side first, and while this should now be true for all tenants, I'd suggest you verify just in case. Also, client side it can be disabled via GPO/reg keys, so cover that as well.
Modern authentication is definitely enabled on the backend.
What other things should I be checking to identify why my desktop apps don't get prompted for 2FA?
I already gave you the list of things to check, if you mean the actual keys, this article lists them: https://docs.microsoft.com/en-us/exchange/troubleshoot/modern-authentication/modern-authentication-configuration
The best tool to use in troubleshooting is Fiddler, or anything else that can capture a network trace. But at this point, you can just show us what exactly you are seeing in Outlook, for example when configuring a new profile.
Hi, Azure AD sign-in logs are useful, search for the entries that correspond with the activity you have mentioned and see what CA policies are applying or being skipped. Also, I'd play around with the what if tool to model your expectations.
Also be aware in some circumstances a trusted device won't always prompt for MFA, as the device itself is considered the second factor.
Ah OK this makes more sense to me, if the theory is that if I'm logging into an Azure AD Joined device, then that initial login is what the native Office 365 desktop apps consider to be the 'second auth' method.
However, at first setup, I'm still required to use an App Password when initially configuring my Outlook 365 clients on these Azure AD Joined devices. Is that the expected behavior, even with Modern Auth enabled on the backend?
Here it is, I use whenever I am working on CA along with the Azure AD sign-in logs, it tells you a lot on what's happening.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/what-if-tool
The below shows activity in Outlook desktop client when the user was interrupted to register for MFA after signing in, per the requirement.
Here is a bit more info on trusted devices NOT prompting for MFA in some circumstances here which is by design.
