Forum Discussion
After a hybrid migration to Exchange Online Outlook clients not switching over.
Rob Axelrod Hello, not in my comfort zone here but I've heard of an almost identical issue before where they disabled MFA (temporarily) to get it to work.
If that's not the case maybe this is applicable
https://support.microsoft.com/en-us/help/3073002/after-migration-to-office-365-outlook-doesn-t-connect-or-web-services
Rob Axelrod Hello, not in my comfort zone here but I've heard of an almost identical issue before where they disabled MFA (temporarily) to get it to work.
If that's not the case maybe this is applicable
https://support.microsoft.com/en-us/help/3073002/after-migration-to-office-365-outlook-doesn-t-connect-or-web-services
Thanks for your tips!
You first inclination was 100% correct.
I did a Fiddler trace on the test workstation as Outlook was trying to do Autodiscover to set itself up for the first time connecting to the cloud. I saw that it was failing to connect to O365's autodiscover service with an HTTP error of 456. Did a little research and determined that it is tied to multifactor authentication and conditional access configuration. Not sure why it works fine if you are setting up a new profile, etc but when I excluded the test account from the conditional access policy it immediately started working.So now the question is what is it about the conditional access policy that conflicts with the reconfiguration of Outlook? It isn't a problem when setting up a new profile, only on the switch from on-prem to the cloud. I used this blog post to help track down the issue with that e: https://bloggymcblogface.blog/error-456-for-exchange-online-autodiscover/Rob Axelrod Hey Rod! Glad to hear that the solution worked for you! But I can't say I know what's going on as the "456 authentication error" should indicate that MFA is enabled for your account while modern authentication is not enabled in EXO. Perhaps open a MS ticket as you said all those settings are OK.
PeterRising Any idea?
- I have a ticket open to look at the conditional access settings. Modern Auth is definately enabled since every other scenario works just fine except for the specific act of transitioning the Outlook client from on prem to the cloud post hybrid finalization. I think the answer is going to be tweaking my conditional access config so that the "Other Clients" setting isn't checked in the policy that requires multi factor.
Rob Axelrod Yes I agree that for that many migrations you need a resolution, not a workaround ideally.
Did this happen on every one of the pilot migrations?
ChristianBergstrom As ever my friend, some very useful ideas. With modern authentication enabled, MFA should not be an issue, but you just never know.
