MFA is triggered every time an O365 application is started

%3CLINGO-SUB%20id%3D%22lingo-sub-292628%22%20slang%3D%22en-US%22%3EMFA%20is%20triggered%20every%20time%20an%20O365%20application%20is%20started%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292628%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20working%20together%20with%20a%20client%20on%20moving%20their%20on-premise%20mailboxes%20to%20Exchange%20Online.%20As%20a%20separate%20process%2C%20we're%20activating%20Azure%20MFA%20for%20migrated%20users%20that%20are%20already%20using%26nbsp%3BOPP%20(that's%20our%20prerequisite).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMost%20of%20our%20migrated%20users%20don't%20have%20issues%20after%20configuring%20Azure%20MFA%2C%20but%20I%20recently%20had%202%20users%20that%20experience%20a%20weird%20behavior%20with%20Azure%3A%3C%2FP%3E%3CP%3EEvery%20time%20they%20start%20Outlook%20(after%20restarting%20their%20computer%2C%20even%20closing%20and%20re-opening%20it%20during%20the%20same%20Windows%20session)%2C%20they%20are%20asked%20for%20authentication.%20Normally%2C%20the%20users%20should%20authenticate%20every%2090%20days%2C%20not%20every%20time%20they%20start%20an%20OPP%20application.%20This%20for%20me%20means%2C%20the%20access%20%2F%26nbsp%3B%3CSPAN%3Eauthentication%20token%20isn't%20stored%20somehow.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20recommended%20deleting%20all%20generic%20login%20credentials%20(MicrosoftOffice16_Data*)%20from%20the%20Credentials%26nbsp%3BManager%20to%20them%20and%20do%20a%20restart.%20But%20this%20doesn't%20help.%20Also%2C%20switching%20them%20to%20using%20the%20smart-card%26nbsp%3Bto%20authenticate%26nbsp%3Binstead%20of%20Azure%20doesn't%20work.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EDoes%20this%20behavior%20or%20issue%20sound%20familiar%26nbsp%3Bto%20you%3F%20Do%20you%20know%20anything%26nbsp%3Belse%20I%20can%20do%20to%20help%20these%20users%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EBest%20regards%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Elayentara%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-292628%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292932%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20is%20triggered%20every%20time%20an%20O365%20application%20is%20started%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292932%22%20slang%3D%22en-US%22%3E%3CP%3EGet%20them%20to%20try%20on%20a%20different%20machine%2C%20and%20similarly%20get%20a%20different%20user%20to%20try%20on%20their%20machine.%20That%20way%20you%20will%20know%20for%20certain%20if%20its%20something%20with%20the%20user%20profile.%20You%20can%20also%20do%20the%20same%20with%20respect%20to%20network%20location%20(and%20maybe%20check%20if%20they%20are%20subject%20to%20any%20Conditional%20Access%20policies%20forcing%20MFA).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292808%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20is%20triggered%20every%20time%20an%20O365%20application%20is%20started%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292808%22%20slang%3D%22en-US%22%3E%3CP%3EExactly.%20Everything%20works%20as%20usual%20after%20authenticating%2C%20the%20users%20have%20access%20to%20their%20mails.%20But%20after%20closing%20%2F%20shutting%20down%20the%20Outlook%20application%20and%20opening%20it%20again%2C%20they're%26nbsp%3B%3CSPAN%3Eprompted%20again%20to%20do%20MFA.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20subscription%20product%20is%20Microsoft%26nbsp%3BOffice%20365%20ProPlus%2C%20the%20Outlook%20version%20is%201808%20and%201810.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292792%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20is%20triggered%20every%20time%20an%20O365%20application%20is%20started%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292792%22%20slang%3D%22en-US%22%3EAfter%20doing%20the%20MFA%20exchange%20does%20e-mail%20work%20properly%20just%20until%20they%20restart%20they%20get%20prompted%20again%3F%3CBR%20%2F%3E%3CBR%20%2F%3EGoing%20to%20assume%20they%20are%20on%20the%20same%20outlook%20client%20that%20supports%20Modern%20Auth%20etc%3F%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello Community,

 

I'm working together with a client on moving their on-premise mailboxes to Exchange Online. As a separate process, we're activating Azure MFA for migrated users that are already using OPP (that's our prerequisite).

 

Most of our migrated users don't have issues after configuring Azure MFA, but I recently had 2 users that experience a weird behavior with Azure:

Every time they start Outlook (after restarting their computer, even closing and re-opening it during the same Windows session), they are asked for authentication. Normally, the users should authenticate every 90 days, not every time they start an OPP application. This for me means, the access / authentication token isn't stored somehow.

I recommended deleting all generic login credentials (MicrosoftOffice16_Data*) from the Credentials Manager to them and do a restart. But this doesn't help. Also, switching them to using the smart-card to authenticate instead of Azure doesn't work.

 

Does this behavior or issue sound familiar to you? Do you know anything else I can do to help these users?

 

 

Best regards,

layentara

3 Replies
Highlighted
After doing the MFA exchange does e-mail work properly just until they restart they get prompted again?

Going to assume they are on the same outlook client that supports Modern Auth etc?
Highlighted

Exactly. Everything works as usual after authenticating, the users have access to their mails. But after closing / shutting down the Outlook application and opening it again, they're prompted again to do MFA.

The subscription product is Microsoft Office 365 ProPlus, the Outlook version is 1808 and 1810.

Highlighted

Get them to try on a different machine, and similarly get a different user to try on their machine. That way you will know for certain if its something with the user profile. You can also do the same with respect to network location (and maybe check if they are subject to any Conditional Access policies forcing MFA).