Multi-factor Authentication breaks outlook

Christian Taveras years later (though this thread was still active only a couple of months ago) I have one more potential culprits and an actual solution versus a work around/hack - for everyone's sake hopefully its the solution once and for all, as it should take you 5 minutes to make a single global change.

The solution came from continual link following from one of the replies above to Microsoft, back to other forums and in a loop but I pieced together the actual problem and was able to then find the solution. I figured I'd post this to help someone to cut to the chase versus having to following the same rabbit hole I did. I tried SaRA to no avail (just like with a couple of your tenants) and recreating the windows profile was the only solution that seemed reliable - not really an organization wide option.

I noticed, like you, I had a problem with some users, not all.  I subsequently identified these users were all older tenants.  I then found an article from Microsoft that said "For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online."

Essentially, try as you may with local options when your tenant attempts to authenticate with Exchange Online, O365 is forcing Outlook to use basic auth, not modern auth. So your "switch flicking" from SaRA did something server side not local or it changed something in the local registry that ignored O365 asking for Basic Auth. This could explain why registry hacks work. Andrios, iOS, and OSX applications only have modern auth so they cannot have the problem ( only the application native to a Microsoft Operating system).

Solution... force all users to Modern Authentication. In retrospect this makes sense as I've noticed new users always got the modern auth prompt even before trying to implement MFA while the old timers like myself had basic auth prompts still pop up occasionally.

Note: this assumes you are on 2016/Outlook for Office 365, 2013 users still additionally have to enable ADAL with registry changes first, then you follow the instructions below to enable modern auth with Exchange Online-> https://support.office.com/en-us/article/enable-modern-authentication-for-office-2013-on-windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910

Solution in detail:

Run Powershell - here is another gotcha, in a fun Microsoft twist of irony if you have MFA enabled for this user you will have to download the Microsoft Exchange Online Remote Powershell Module to get modern auth in the powershell environment.  If your username can log in with basic auth, search->powershell->run as admin.

Connect to Exchange Online in PowerShell

Connect-EXOPSSession -UserPrincipalName mailto:chris@contoso.com   

(for US based Office 365 - for others, you will need to find the URIs)

Enable Modern Authentication in Exchange Online

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true  

Check Status of Modern Authentication

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

PS C:\Users\StevenOsuch> Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
PS C:\Users\StevenOsuch> Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

              Name                                        OAuth2ClientProfileEnabled
                ----                                               --------------------------
domain.somewhere.com                                            True

Now open up Outlook, it worked instantly, I didn't even have to provide credentials as it pulled it from my laptop which already had the SSO profile that had been authenticated at login.

Retrospectively, looking at the Set-Up MFA for O365 article (https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide), it mentions this as well but this was just updated a couple of days ago so maybe it wasn't there before.

Final note, if you still use Skype for Business, you have to enable Modern Auth separately using the Skype specific connection and command prompts.

I WAS able to successfully get this to work finally, without wiping windows OS. Here is what I did.

First: I added the registry key per the below instructions (it wasn't there originally)(also, when I "ran as admin" the "Exchange" folder wasn't present, but when I opened normally {on an AD client} the "Exchange folder WAS there.)

Second: I removed Multi-Factor Auth for my user.

Third: I opened Outlook ---> Clicked File ----> Office Account ---> I signed out of all accounts (one user had 3, one user had only 1)

Fourth: Turned back on multi factor

Fifth: Opened Outlook and when I did - In one case I had to enter the App Password in the New Style App box. In the other case, Outlook just opened and worked. In both cases multi-factor is on and continues to work. Copied and pasted the key below. Hope that helps someone.

1. Exit Outlook.
2. Start Registry Editor. To do this, use one of the following procedures, as appropriate for your version of Windows:
   
   • Windows 10, Windows 8.1 and Windows 8: Press Windows Key + R to open a Rundialog box. Type regedit.exe, and then press Enter.
   • Windows 7: Click Start, type regedit.exe in the search box, and then press Enter.
3. In Registry Editor, locate and then click the following registry subkey: 
   
   HKEY_CURRENT_USER\Software\Microsoft\Exchange
4. On the Edit menu, point to New, and then click DWORD Value.
5. Type AlwaysUseMSOAuthForAutoDiscover, and then press Enter.
6. Right-click AlwaysUseMSOAuthForAutoDiscover, and then click Modify.
7. In the Value data box, type 1, and then click OK.
8. Exit Registry Editor.

I was never able to put my finger on it, nor was MS for that matter which is sad!

I reached a point where I am down to 2 users left with this issue and our help desk has been pushing out Outlook 2016 which has Modern Auth on by default. 

The issue that caused this was Outlook2013 stuck on legacy AUTH and not using Modern Auth.   How can you tell?  If you open Outlook Connection Status, under the AuthN field if it says clear (Legacy Auth)  If it says Bearer* (Modern AUTH). 

I found another fix as well but its more time consuming.  I ran MS SARA and chose outlook keeps prompting for credential which also happened.  Running thru that and just telling SARA to continue to fix the issue and get to a point where it asks did I want it to recreate the profile I said yes and that also did it.  After letting SARA create the profile After a few minutes all the connections would start changing from Clear to BEARER.  THis part took about 10 to 15 min just had to let it sit and monitor it.

If i just recreated the profile myself without sara it would not work.  So that tells me that MS SARA was also wiping something out in the windows profile as 9 times out of 10 I used sara it would work.

Those times I SARA did not work and outlook still connected using legacy Auth is where I would wipe the Windows Profile.

You can also verify by going to registry HKCU\Software\microsoft\office\16.0\Common\Identity\identities

Under here you should have 

https://autodiscover-s.outlook.com/

https://domain.sharepoint.com/

https://domain-my.sharepoint.com/

https://outlook.office365.com/

https://dataservice.o365filtering.com

Users who connect using Legacy Auth who also have CLear in the AUTHN column in connection status will have only 2 of these reg keys.

Alot of time wasted but at least i got to the bottom of it sort of.

Well, the least they can do is push this info to the SHD, so make sure you give them some grief :)