May 24 2017
- last edited on
Jul 24 2020
Currently we are in a hybrid environment where we utilize ADConnect to sync passwords up to our Azure AD tenant. All user mailboxes are on Office 365 with an Exchange 2010 SP3 environment on prem. We also have Skype for Business on prem as well. Please don't ask why we are setup this way. Management and their infinite wisdom. The users we are testing with have Office 2016 and I've enabled modern authentication for Exchange Online and verified they are connecting that way. Well anytime I enable a user for MFA after about an hour or so they start getting prompted in Outlook and Skype for their credentials. Entering them do not work nor does the app password. What it turns out to be is their accounts are locked out in our on prem AD.
We've tried clearing out all credentials and that works sometimes. My question is has anyone run into a scenario such as this where the users account locks out a while after MFA is enabled? If so did you find a resolution? We can't move forward with this until this won't happen everytime we enable someone.
Thanks in advanced.
May 24 2017 03:44 PM - edited May 24 2017 03:45 PM
Do the user have any other devices connected ?
I have seen in the past, that some devices do the lockout, that could be your cause.
May 25 2017 08:13 AM
Users usually have a mobile device, but we go through and enroll them via MS Intune Company Portal before hand. Once the user has MFA enabled we then go through the process of setting up their App Password which is then entered into the credentials section of the mail app they are using. It usually accepts this part and contiues to sync.
I am wondering if this part is done too soon before everything has time to replicate causing the lockout.
May 28 2017 02:34 PM
Just use app passwords, that are generated when you enable MFA. These passwords should be use for all non-web apps.
May 10 2018 09:36 PM
We are seeing the same issue. We have tried using both app passwords and the modern authentication. We get a continual password request loop from outlook that eventually locks the user account out. We have ensured that exchange online is configured to allow modern auth. Did anyone come up with a solution.
May 23 2018 08:54 AM
Jun 21 2018 09:34 AM
We found a solution. Not use Azure MFA that MS has to offer since it is so buggy and lacking support and use a 3rd party solution. We switched to Duo and it is light years ahead of MS in terms of functionality, administration, reporting and most importantly support. I know that's an expense companies may not be looking for, but we were tired of fighting all the issues that came with Azure MFA and lack of support. The conditional access policies they are pushing people towards aren't mature enough yet.
Jul 23 2018 07:41 AM
We have the same thing going on with Modern Authentication. I believe it has to do with our autodiscover records (SCP and DNS) pointing at our on-prem 2010 Exchange server (which doesn't support modern auth). I'm going to be changing it to point at Office 365 autodiscover this week. Hopefully it fixes it.