Forum Discussion
Multi-factor Authentication breaks outlook
If you have MFA enabled, you should use an Outlook version that supports Modern authentication. 2013 SP1+ should do, but Modern auth must also be enabled client-side and server-side:
Unbelievable. A reghack to be a fix to MFA on Office 365 accounts.
I was never able to put my finger on it, nor was MS for that matter which is sad!
I reached a point where I am down to 2 users left with this issue and our help desk has been pushing out Outlook 2016 which has Modern Auth on by default.
The issue that caused this was Outlook2013 stuck on legacy AUTH and not using Modern Auth. How can you tell? If you open Outlook Connection Status, under the AuthN field if it says clear (Legacy Auth) If it says Bearer* (Modern AUTH).
I found another fix as well but its more time consuming. I ran MS SARA and chose outlook keeps prompting for credential which also happened. Running thru that and just telling SARA to continue to fix the issue and get to a point where it asks did I want it to recreate the profile I said yes and that also did it. After letting SARA create the profile After a few minutes all the connections would start changing from Clear to BEARER. THis part took about 10 to 15 min just had to let it sit and monitor it.
If i just recreated the profile myself without sara it would not work. So that tells me that MS SARA was also wiping something out in the windows profile as 9 times out of 10 I used sara it would work.
Those times I SARA did not work and outlook still connected using legacy Auth is where I would wipe the Windows Profile.
You can also verify by going to registry HKCU\Software\microsoft\office\16.0\Common\Identity\identities
Under here you should have
https://autodiscover-s.outlook.com/
https://domain.sharepoint.com/
https://domain-my.sharepoint.com/
https://outlook.office365.com/
https://dataservice.o365filtering.com
Users who connect using Legacy Auth who also have CLear in the AUTHN column in connection status will have only 2 of these reg keys.
Alot of time wasted but at least i got to the bottom of it sort of.
I actually dealt with a similar issue today where a users Outlook would stay at "Disconnected" in the bottom right while outside of our whitelisted network IP range. Our organization turned on Multi-Factor auth through the modern Azure portal about 3 months ago. We had prepared the organization by making sure the https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910 were being pushed out via group policy AND confirming that our machines were patched with the latest Office 2013 patches (that should get the required files to the right versions; https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba?ui=en-US&rs=en-US&ad=US in the "MSI-based installations" section). Today we began enforcing multi-factor auth through the classic Azure portal https://techmymindsite.wordpress.com/2018/01/15/legacy-authentication-the-achilles-heel-of-azure-conditional-access-v2-0/. That's when this behavior began - the user simply could not connect when outside of our white-listed network.
I ran the https://www.microsoft.com/en-us/download/details.aspx?id=36852 and this pointed me in the right direction. It turns out that I was missing the files that the patches mentioned above should have installed. I installed those missing KB's (in this case, the Csi.dll and MSO.dll files were missing from the C:\Program Files(x86)\Common Files\Microsoft Shared\OFFICE15\ directory) and it connected finally.
Another red flag that you should keep in mind is when you setup an Outlook profile OR your user is prompted for their password (in your case after changing the password), that the password box is the basic username/password box. This means your client is attempting to connect with Legacy/Basic Auth, instead of modern auth. Make sure your https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910 are set AND you https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba?ui=en-US&rs=en-US&ad=US
Modern Auth Prompt GOOD:
Legacy/Basic Auth Prompt (attached) BAD
- This solved my problem, thank you!
