Azure MFA breaks Office 365 and Teams authentication

Copper Contributor

Hi all,

Yesterday I enabled Azure MFA using Conditional Access for some of our users.
When I enabled Azure MFA, some users couldn't open Outlook or Teams anymore showing a white "Accounts (Not Responding" window.



Some more info about the clients

  • Windows 10 Enterprise

  • Hybrid Joined - Co managed

  • Credential Guard

  • BitLocker

  • Defender For Endpoint (passive mode)

Things I tried

  • Reset the AAD Broker plugin (removed the folder & let it create again) -> did not solve the issue

  • Removed the device on Azure AD, Did a dsregcmd /leave, forced an AD Connect sync, Ran the workplace join task)



At this point Teams seemed to be back in business, Outlook still wasn't able to authenticate & sign out and sign in again in other office apps (like Word) didn't work either

  • Outlook was unable to authenticate

  • Creating a new profile in Outlook failed autodiscover

  • Outlook didn't show a pop-up for authentication but kept the profile loading.

  • Tried clearing the Office/16.0/Common/Identities branch on the devices

  • Tried running the

    if (-not (Get-AppxPackage Microsoft.AAD.BrokerPlugin)) { Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown } Get-AppxPackage Microsoft.AAD.BrokerPlugin

command, received the TPM not working, couldn't find key pair.
* A reboot seems to fix the issue




I managed to get things back like they were, but i'm still looking for a root cause to mitigate before rolling out MFA to 2000 users.



Has anyone an idea what could be going wrong? The devices that worked didn't seem to have Credential Guard enabled, but I can't seem to find threads / articles from others experiencing these issues.

 

Any help is greatly appreciated!

1 Reply

Hi @BoerelzZ,

 

Looking at your approximate challenge in this way, I don't immediately think of a problem with Credential Guard or with MDE. I would start troubleshooting on the authentication front. A few things you can check:

 

1. Make sure that Modern Authentication on your tenant is enabled. I assume it's already enabled, just to make sure (admin.microsoft.com --> Org settings --> Modern Authentication --> Check: enable Modern Authentication).

 

2. Check if the Office clients are supporting modern authentication (see this article: https://docs.microsoft.com/en-us/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016?view=...)

 

3. Starting with build 16.0.7967, Microsoft 365 apps use Web Account Manager (WAM) for sign-in workflows on Windows builds that are later than 15000 (Windows 10, version 1703, build 15063.138). Please try the following registry change: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity change the DWORD value of DisableADALatopWAMOverride to 1.

 

If the problem persists, please run the troubleshooting tool Office Sign-in issues (Download link: https://support.microsoft.com/en-us/office/about-the-microsoft-support-and-recovery-assistant-e90bb6...

 

Looking forward to your reply.