Home

MFA - Outlook 2010 (App Password or Basic Credential)

%3CLINGO-SUB%20id%3D%22lingo-sub-211370%22%20slang%3D%22en-US%22%3EMFA%20-%20Outlook%202010%20(App%20Password%20or%20Basic%20Credential)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-211370%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApologies%20if%20this%20has%20already%20been%20discussed%20at%20length.%20Trying%20to%20establish%20the%20correct%20behaviour%20when%20Azure%20AD%20Account%20has%20MFA%20enabled%20and%20the%20user%20is%20using%20Outlook%202010%20to%20access%20their%20Exchange%20Online%20mailbox.%20I%20know%202010%20doesn't%20support%20Modern%20Auth%2C%20but%20unfortunately%20our%20Office%20refresh%20program%20is%20somewhat%20behind%20and%20we%20have%20a%20pressing%20need%20to%20enable%20MFA%20to%20combat%20some%20recent%20malicious%20activity.%20%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20far%20our%20experience%20is%20that%20a%20user%20with%20Outlook%202010%20can%20authenticate%20using%20current%20Azure%20AD%20credentials%20whereas%20our%20expectation%20is%20that%20current%20Azure%20AD%20credentials%20would%20fail%20in%20favour%20of%20an%20App%20Password.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20hoping%20that%20our%20experience%20to%20date%20is%20not%20the%20expected%20behaviour.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-211370%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-211783%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20-%20Outlook%202010%20(App%20Password%20or%20Basic%20Credential)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-211783%22%20slang%3D%22en-US%22%3E%3CP%3EMFA%20enabled%20is%20different%20from%20MFA%20enforced%2C%20the%20latter%20one%20meaning%20that%20the%20user%20will%20have%20to%20go%20over%20the%20MFA%20challenge%20every%20time%20he%20access%20an%20O365%20resource.%20If%20they%20are%20simply%20%22enabled%22%2C%20they%20need%20to%20go%20over%20the%20setup%20process%20first%26nbsp%3B(part%20of%20which%20is%20creating%20an%20app%20password).%20You%20can%20also%20force%20MFA%20via%20Conditional%20access%20for%20just%20specific%20apps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere's%20a%20more%20detailed%20explanation%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%23enable-azure-mfa-by-changing-user-status%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%23enable-azure-mfa-by-changing-user-status%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Fraser MacFarlane
Visitor

Hi all,

 

Apologies if this has already been discussed at length. Trying to establish the correct behaviour when Azure AD Account has MFA enabled and the user is using Outlook 2010 to access their Exchange Online mailbox. I know 2010 doesn't support Modern Auth, but unfortunately our Office refresh program is somewhat behind and we have a pressing need to enable MFA to combat some recent malicious activity.  

So far our experience is that a user with Outlook 2010 can authenticate using current Azure AD credentials whereas our expectation is that current Azure AD credentials would fail in favour of an App Password. 

 

I am hoping that our experience to date is not the expected behaviour. 

1 Reply

MFA enabled is different from MFA enforced, the latter one meaning that the user will have to go over the MFA challenge every time he access an O365 resource. If they are simply "enabled", they need to go over the setup process first (part of which is creating an app password). You can also force MFA via Conditional access for just specific apps.

 

There's a more detailed explanation here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#enable-a...