MFA and desktop apps

%3CLINGO-SUB%20id%3D%22lingo-sub-1835959%22%20slang%3D%22en-US%22%3EMFA%20and%20desktop%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1835959%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20playing%20around%20with%20MFA.%20I've%20enabled%20it%20on%20one%20user%20to%20test%20things%20out.%20When%20logging%20into%20the%20web%20portal%2C%20there%20are%20no%20issues.%20I%20receive%20a%20prompt%20to%20enter%20an%20text%20code%20and%20all%20is%20good.%20When%20i%20try%20to%20set%20up%20either%20Outlook%20or%20OneDrive%20desktop%20apps%2C%20I%20receive%20an%20error%20that%20the%20account%20couldn't%20be%20set%20up.%20Yet%20if%20I%20log%20into%20Word%20or%20Excel%2C%20no%20issues%2C%20I%20have%20to%20enter%20a%20code%20that%20is%20texted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpon%20further%20investigation%2C%20it%20looks%20like%20I%20have%20to%20set%20up%20modern%20authentication%20on%20the%20tenant%2C%20in%20order%20for%26nbsp%3B%20the%20Outlook%26nbsp%3B%20and%20SharePoint%20service%20to%20work.%20I%20would%20like%20to%20test%20this%20out.%20If%20I%20enable%20modern%20auth%20for%20the%20tenant%20will%20it%20impact%20all%20my%20users%2C%20or%20only%20the%20ones%20that%20have%20MFA%20enabled%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1835959%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%20center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Administration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1836377%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20and%20desktop%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1836377%22%20slang%3D%22en-US%22%3E%3CP%3EDefine%20%22impact%22%2C%20as%20you've%20seen%20it%20does%20have%20an%20impact%20on%20the%20way%20people%20log%20in.%20But%20generally%20speaking%2C%20enabling%20this%20just%20makes%20another%20auth%20method%20possible%2C%20it%20doesnt%20prevent%20people%20from%20using%20legacy%20methods%2C%20unless%20you%20specifically%20decide%20to%20block%20them%20(or%20you%20have%20security%20defaults%20enabled).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1836841%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20and%20desktop%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1836841%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BHey%20Vasil%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20feedback.%20After%20some%20testing%20I'm%20a%20little%20fuzzy%20on%20MFA.%20I%20figure%20it%20should%20be%20straight-forward%2C%20but%20seems%20to%20react%20differently%20for%20the%20various%20non-browser%20logins.%3C%2FP%3E%3CP%3EIf%20I%20enable%20a%20user%20for%20MFA%2C%20what%20is%20required%20for%20the%20Office%20desktop%20apps%20to%20be%20able%20to%20connect%20successfully.%3C%2FP%3E%3CP%3EAs%20mentioned%20in%20the%20previous%20post%2C%20with%20MFA%20turned%20on%20for%20the%20test%20user%2C%20I%20was%20prompted%20for%20an%20SMS%20code%20when%20logging%20into%20Word%20and%20Excel.%20When%20I%20tried%20to%20setup%20Outlook%2C%20and%20OneDrive%20I%20received%20a%20message%20that%20the%20account%20setup%20could%20not%20be%20completed.%3C%2FP%3E%3CP%3EI%20decided%20to%20disable%20the%20MFA%2C%20to%20see%20what%20would%20happen%2C%20and%20I%20was%20able%20to%20set%20up%20the%20Outlook%20account%20on%20the%20device.%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20want%20to%20enable%20MFA%20again%2C%20to%20see%20what%20occurs%2C%20but%20when%20I%20do%2C%20I'm%20still%20able%20to%20login%20without%20a%202nd%20authentication.%20Do%20I%20have%20to%20'enforce'%20the%20MFA%20to%20reactivate%20it%20for%20the%20user%3F%3C%2FP%3E%3CP%3EIf%20I%20select%20enforce%2C%20I%20get%20the%20following%20message%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mikbai_0-1604054016824.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F230386iC8150EF3927C3E1D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22mikbai_0-1604054016824.png%22%20alt%3D%22mikbai_0-1604054016824.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ESo%2C%20does%20this%20mean%20that%20for%20Outlook%20and%20OneDrive%20apps%2C%20I%20need%20an%20app%20password%20with%20MFA%20enabled%3F%20And%20what%20does%20the%20note%20about%20admins%20refer%20to%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello, 

I'm playing around with MFA. I've enabled it on one user to test things out. When logging into the web portal, there are no issues. I receive a prompt to enter an text code and all is good. When i try to set up either Outlook or OneDrive desktop apps, I receive an error that the account couldn't be set up. Yet if I log into Word or Excel, no issues, I have to enter a code that is texted.

 

Upon further investigation, it looks like I have to set up modern authentication on the tenant, in order for  the Outlook  and SharePoint service to work. I would like to test this out. If I enable modern auth for the tenant will it impact all my users, or only the ones that have MFA enabled?

 

Thanks

3 Replies

Define "impact", as you've seen it does have an impact on the way people log in. But generally speaking, enabling this just makes another auth method possible, it doesnt prevent people from using legacy methods, unless you specifically decide to block them (or you have security defaults enabled).

@Vasil Michev Hey Vasil, 

 

Thanks for the feedback. After some testing I'm a little fuzzy on MFA. I figure it should be straight-forward, but seems to react differently for the various non-browser logins.

If I enable a user for MFA, what is required for the Office desktop apps to be able to connect successfully.

As mentioned in the previous post, with MFA turned on for the test user, I was prompted for an SMS code when logging into Word and Excel. When I tried to setup Outlook, and OneDrive I received a message that the account setup could not be completed.

I decided to disable the MFA, to see what would happen, and I was able to set up the Outlook account on the device. 

Now I want to enable MFA again, to see what occurs, but when I do, I'm still able to login without a 2nd authentication. Do I have to 'enforce' the MFA to reactivate it for the user?

If I select enforce, I get the following message:

mikbai_0-1604054016824.png

So, does this mean that for Outlook and OneDrive apps, I need an app password with MFA enabled? And what does the note about admins refer to? 

 

Thanks

As mentioned above, enabling OAuth/MFA does not disable the "legacy" authentication methods. If you want to disable those, you can use CA policies, Exchange auth policies or security defaults.

 

Both Outlook and OneDrive support MFA just fine, but you need to make sure you're using a proper version. Everything from the past few years will do, Office in particular added support in 2013 SP2. Apart from that, you need to make sure OAuth is enabled service-side, which for Exchange is done via PowerShell (although most tenants should have it already enabled).

 

Lastly, app passwords are not needed. They are a legacy "workaround" for scenarios where the client apps didnt support MFA, this is no longer the case for any Microsoft app.