MFA for Office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-1535596%22%20slang%3D%22en-US%22%3EMFA%20for%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535596%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20attempted%20to%20test%20MFA%20for%20Office%20365%20for%20one%20person.%20I%20went%20ahead%20and%20enabled%20and%20then%20enforced%20MFA%20for%20one%20user.%20Everything%20seemed%20to%20be%20fine%20for%20one%20day%2C%20however%2C%20the%20next%20day%20the%20user's%20outlook%20continuously%20prompted%20him%20for%20a%20password.%20He%20said%20he%20put%20his%20network%20password%20in%20(they%20are%20syncing%20their%20AD%20to%20the%20cloud)%20but%20it%20wouldn't%20accept%20the%20password.%20Do%20you%20think%20outlook%20wanted%20his%20app%20password%3F%20He%20is%20using%20Outlook%202016%20or%20above%20and%20I%20thought%20Outlook%202016%20and%20above%20didn't%20require%20an%20app%20password.%20Thanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1535596%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%20MFA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1535836%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20for%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535836%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F734918%22%20target%3D%22_blank%22%3E%40itdweeb99%3C%2FA%3E%26nbsp%3B%3A%20Outlook%202016%20does%20support%20MFA%20and%20you%20dont%20have%20to%20create%20an%20app%20password.%20The%20first%20thing%20to%20check%20out%20for%20is%2C%20what%20kind%20of%20prompt%20the%20user%20is%20getting%2C%20is%20it%20a%20modern%20authentication%20prompt%20or%20the%20legacy%20one%20%3F%20(Modern%20authentication%20prompt%20is%20similar%20to%20what%20you%20get%2C%20when%20you%20try%20to%20login%20into%20portal.office.com%20via%20web%20browser).%20If%20you%20don't%20get%20the%20browser%20like%20prompt%2C%20MFA%20wont%20work%20for%20the%20user.%20Although%2C%20outlook%202016%20does%20support%20MFA%2C%20in%20some%20environments%2C%20i%20have%20seen%20people%20block%20it%20via%20registry%20(%20still%20don't%20know%20why%20someone%20would%20do%20that%20!).%20Check%20the%20following%20registry%20key%20to%20enable%2FDisable%20ADAL%20%3A%26nbsp%3B%3CSPAN%3EHKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5COffice%5C16.0%5CCommon%5CIdentity%3A%22EnableADAL%22%3Ddword%3A1%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThough%20outlook%202016%20has%20modern%20authentication%20enabled%20but%20if%20the%20key%20is%20not%20there%20you%20can%20try%20to%20create%20it.%20These%20steps%20apply%20only%20if%20you%20are%20getting%20the%20legacy%20prompt%20still%20and%20not%20the%20modern%20authentication%20prompt.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We are attempted to test MFA for Office 365 for one person. I went ahead and enabled and then enforced MFA for one user. Everything seemed to be fine for one day, however, the next day the user's outlook continuously prompted him for a password. He said he put his network password in (they are syncing their AD to the cloud) but it wouldn't accept the password. Do you think outlook wanted his app password? He is using Outlook 2016 or above and I thought Outlook 2016 and above didn't require an app password. Thanks in advance.

3 Replies
Highlighted

@itdweeb99 : Outlook 2016 does support MFA and you dont have to create an app password. The first thing to check out for is, what kind of prompt the user is getting, is it a modern authentication prompt or the legacy one ? (Modern authentication prompt is similar to what you get, when you try to login into portal.office.com via web browser). If you don't get the browser like prompt, MFA wont work for the user. Although, outlook 2016 does support MFA, in some environments, i have seen people block it via registry ( still don't know why someone would do that !). Check the following registry key to enable/Disable ADAL : HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity:"EnableADAL"=dword:1

Though outlook 2016 has modern authentication enabled but if the key is not there you can try to create it. These steps apply only if you are getting the legacy prompt still and not the modern authentication prompt.

Highlighted

@harveer singh 

The prompt is a legacy prompt. Its the same type of prompt the user has always gotten. We did attempt putting that registry key in but that had no effect.

Highlighted

For older tenants, modern auth isn't enabled by default in Exchange Online, so check for that. On the client side, apart from the reg key mentioned above, clear any stored credentials.