Outlook 2016 MFA freezes connecting to EXO

%3CLINGO-SUB%20id%3D%22lingo-sub-2281333%22%20slang%3D%22en-US%22%3EOutlook%202016%20MFA%20freezes%20connecting%20to%20EXO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2281333%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ea%20customer%20of%20us%20is%20in%20a%20strange%20situation.%20After%20beeing%20hacked%20the%20rebuilt%20on-premises%20domain%20is%20still%20not%20yet%20connected%20to%20O365%20via%20AAD%20Connect.%20That's%20just%20for%20additional%20information.%20Currently%20O365%20ProPlus%20is%20not%20yet%20enrolled%20due%20to%20additional%20needed%20effort.%20Only%20some%20pilots%20are%20using%20it.%20The%20majority%20is%20utilizing%20Office%202016%20and%20so%20Outlook%202016.%3CBR%20%2F%3E%3CBR%20%2F%3EAfter%20some%20registry%20tweaks%20for%20autodiscover%20Outlook%202016%20is%20running%20quite%20fine.%20But%20occasionally%20some%20Outlook%20clients%20are%20freezing.%20It%20looks%20like%20it%20is%20the%20point%20of%20time%20where%20the%20MFA%20session%20has%20to%20be%20renewed%20after%2014%20days.%3CBR%20%2F%3E%3CBR%20%2F%3ESorry%20for%20the%20German%20screenshot%2C%20but%20I%20guess%20you%20can%20recognize%20that%20this%20is%20the%20logon%20prompt%20for%20O365%20which%20is%20freezing.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22woelki_0-1619083585786.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F274655iC5ED01C8E6BA5644%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22woelki_0-1619083585786.jpeg%22%20alt%3D%22woelki_0-1619083585786.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWe%20are%20seeing%20this%20only%20for%20already%20created%20Outlook%20profiles%20and%20there%20only%20for%20a%20part%20of%20the%20workforce.%20But%20there%20is%20no%20context%20between%20the%20locations%20or%20different%20subdomains.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20seen%20a%20quite%20good%20chance%20that%20it%20might%20be%20solved%20with%20the%20following%20KB.%3CBR%20%2F%3E%3CA%20title%3D%22Outlook%20prompts%20for%20password%20and%20doesn't%20use%20Modern%20Authentication%20to%20connect%20to%20Office%20365%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foutlook%2Ftroubleshoot%2Fauthentication%2Foutlook-prompt-password-modern-authentication-enabled%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EOutlook%20prompts%20for%20password%20and%20doesn't%20use%20Modern%20Authentication%20to%20connect%20to%20Office%20365%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdding%20the%20registry%20key%20%3CSTRONG%3EAlwaysUseMSOAuthForAutoDiscover%3C%2FSTRONG%3E%20was%20not%20the%20solution.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20most%20cases%20the%20issue%20can%20only%20be%20solved%20by%20a%20new%20profile%20creation.%20Even%20a%20restart%20of%20the%20whole%20PC%20is%20not%20working.%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20other%20ideas%3F%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%2C%3CBR%20%2F%3Ewoelki%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2281333%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2335115%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%202016%20MFA%20freezes%20connecting%20to%20EXO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2335115%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eunfortunately%20no%20replies%20yet.%20Btw%20I%20have%20created%20a%20Microsoft%20ticket%2C%20but%20they%20say%20%22hey%2C%20we%20cannot%20guarantee%20100%25%20perfect%20Outlook%20connection.%22%20The%20support%20wanted%20to%20play%20through%20the%20default%20troubleshooting%20with%20cached%20mode%20on%2Foff%2C%20new%20profile.%20I%20have%20been%20asked%20a%20lot%20if%20the%20modern%20authentication%20has%20been%20fully%20enabled%20and%20yes%2C%20as%20you%20can%20see%20in%20the%20screenshot%20it%20is%20a%20password%20prompt%20for%20the%20modern%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I'm%20still%20trying%20to%20force%20the%20Microsoft%20support%20to%20dig%20even%20deeper%20with%20a%20more%20technical%20approach.%3C%2FP%3E%3CP%3EIn%20Azure%20Sign-Ins%20I%20have%20searched%20for%20the%20affected%20users%20had%20this%20Outlook%20problem%20today.%20Just%20before%20the%20helpdesk%20solved%20the%20problem%2C%20you%20can%20see%20a%20lot%20of%20errors%20for%20the%20%3CSTRONG%3Enon-interactive%3C%2FSTRONG%3E%3CBR%20%2F%3Esign-ins%2C%20you%20can%20see%20a%20lot%20of%20errors%20for%20the%20%3CSTRONG%3EOffice%20365%20Exchange%20Online%3C%2FSTRONG%3E%20resource%20via%20the%20%3CSTRONG%3EMicrosoft%20Office%3C%2FSTRONG%3E%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22woelki_0-1620389783738.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279069i11C3F152114EA116%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22woelki_0-1620389783738.png%22%20alt%3D%22woelki_0-1620389783738.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThe%20error%20coder%20AADSTS50078%20is%20not%20included%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Freference-aadsts-error-codes%23aadsts-error-codes%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20error%20code%20collection%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3EPresented%20multi-factor%20authentication%20has%20expired%20due%20to%20policies%20configured%20by%20your%20administrator%2C%20you%20must%20refresh%20your%20multi-factor%20authentication%20to%20access%20'%7Bresource%7D'.%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20it%20looks%20like%20that%20users%20who%20got%20these%20errors%20in%20a%20row%20have%20the%20Outlook%20sign-in%20issue.%20But%20in%20total%20I%20see%20several%20thousands%20of%20these%20notifications%20in%20the%20tenant%2C%20in%20most%20cases%20single%20ones.%3CBR%20%2F%3E%3CBR%20%2F%3EAre%20these%20Azure%20sign-in%20failures%20quite%20normal%3F%3CBR%20%2F%3EShould%20I%20cross-post%20this%20in%20the%20identity%20forum%3F%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%2C%3CBR%20%2F%3Ewoelki%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi there,

a customer of us is in a strange situation. After beeing hacked the rebuilt on-premises domain is still not yet connected to O365 via AAD Connect. That's just for additional information. Currently O365 ProPlus is not yet enrolled due to additional needed effort. Only some pilots are using it. The majority is utilizing Office 2016 and so Outlook 2016.

After some registry tweaks for autodiscover Outlook 2016 is running quite fine. But occasionally some Outlook clients are freezing. It looks like it is the point of time where the MFA session has to be renewed after 14 days.

Sorry for the German screenshot, but I guess you can recognize that this is the logon prompt for O365 which is freezing.

woelki_0-1619083585786.jpeg

We are seeing this only for already created Outlook profiles and there only for a part of the workforce. But there is no context between the locations or different subdomains.

I have seen a quite good chance that it might be solved with the following KB.
Outlook prompts for password and doesn't use Modern Authentication to connect to Office 365 

Adding the registry key AlwaysUseMSOAuthForAutoDiscover was not the solution.

In most cases the issue can only be solved by a new profile creation. Even a restart of the whole PC is not working.

Any other ideas?

Kind regards,
woelki

 

1 Reply

Hey guys,

 

unfortunately no replies yet. Btw I have created a Microsoft ticket, but they say "hey, we cannot guarantee 100% perfect Outlook connection." The support wanted to play through the default troubleshooting with cached mode on/off, new profile. I have been asked a lot if the modern authentication has been fully enabled and yes, as you can see in the screenshot it is a password prompt for the modern authentication.

 

So I'm still trying to force the Microsoft support to dig even deeper with a more technical approach.

In Azure Sign-Ins I have searched for the affected users had this Outlook problem today. Just before the helpdesk solved the problem, you can see a lot of errors for the non-interactive
sign-ins, you can see a lot of errors for the Office 365 Exchange Online resource via the Microsoft Office application.

 

woelki_0-1620389783738.png


The error coder AADSTS50078 is not included in the Azure error code collection.

Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '{resource}'.

So it looks like that users who got these errors in a row have the Outlook sign-in issue. But in total I see several thousands of these notifications in the tenant, in most cases single ones.

Are these Azure sign-in failures quite normal?
Should I cross-post this in the identity forum?

Kind regards,
woelki