Multi-factor Authentication breaks outlook

Iron Contributor

Just wondering if anyone has run into this issue.  

 

I have been Turning on MFA for users a group at a time all was going smooth.  The next morning after turning on MFA for the last hand full of users I had to force a password change company wide due to an internal issue.  After doing this it caused outlook to start prompting only for the last hand full of users.  No matter which password was entered it continued to prompt.  I tried the domain credentials and i even popped in the app password as I read an article that mentioned this but this did not work for me.  Just wondering if anyone has run into something similar or can shed any light that may have caused this issue while i wait for 2nd level support to call me.

44 Replies

I just left a similar report with feedbackhub but my problems aroase from having to many users on a couple of cards with shard users on moltable systems. Any one besides me get a user diconect affter

the update.last night. 

I WAS able to successfully get this to work finally, without wiping windows OS. Here is what I did.

 

First: I added the registry key per the below instructions (it wasn't there originally)(also, when I "ran as admin" the "Exchange" folder wasn't present, but when I opened normally {on an AD client} the "Exchange folder WAS there.)

 

Second: I removed Multi-Factor Auth for my user.

 

Third: I opened Outlook ---> Clicked File ----> Office Account ---> I signed out of all accounts (one user had 3, one user had only 1)

 

Fourth: Turned back on multi factor

 

Fifth: Opened Outlook and when I did - In one case I had to enter the App Password in the New Style App box. In the other case, Outlook just opened and worked. In both cases multi-factor is on and continues to work. Copied and pasted the key below. Hope that helps someone.

 

  1. Exit Outlook.
  2. Start Registry Editor. To do this, use one of the following procedures, as appropriate for your version of Windows:
    • Windows 10, Windows 8.1 and Windows 8: Press Windows Key + R to open a Rundialog box. Type regedit.exe, and then press Enter.
    • Windows 7: Click Start, type regedit.exe in the search box, and then press Enter.
  3. In Registry Editor, locate and then click the following registry subkey: 

    HKEY_CURRENT_USER\Software\Microsoft\Exchange
  4. On the Edit menu, point to New, and then click DWORD Value.
  5. Type AlwaysUseMSOAuthForAutoDiscover, and then press Enter.
  6. Right-click AlwaysUseMSOAuthForAutoDiscover, and then click Modify.
  7. In the Value data box, type 1, and then click OK.
  8. Exit Registry Editor.
Interesting, could you post a screen shot of the Outlook Connection Window, just the Authn and Encrypt columns. ID like to see what are displayed.

Christian, I would have loved to. At the time I was just shooting in the dark and I did not take any screen shots. If I Have this come up again with another client I will certainly post images here for you. regards.

This worked for me. Removed credentials related to Office 2016. Then restarted Outlook, put in an App Password and it came up.

Incredible!

Microsoft wants tenants to use MFA and this is the garbage we have to go through to set it up so it works for our users!!!

Here we are evaluating MFA for our organization and this is totally ridiculous from Microsoft! Right now we are using App passwords for our trial group of 8. I can't imagine going through all these steps for ALL our users just so MFA works properly.

Come on Microsoft get with it!

/rant off

Keep in mind APP Passwords by pass MFA.  Outlook, esp 2016 has built in Modern Auth so it should be able to Auth users against ADFS if domains are federated or Azure.  Using APP passwords in outlook for me is a no no, thats Just me.  I rather find the root cause of why Outlook is prompting and fix that.

Only thing using APP Passsword in my environment are mobile device Ipads, Iphones Android phones/Tablets.  Everything else is using ADFS.

Hi We have migrated to Office 365, with an Exchange 2013 hybrid server and Outlook 2013 clients. I would like to implement 2FA/MFA - but it breaks Outlook. We also don't currently have Azure Premium P1 licences, so can't implement Conditional access.

Reading the above messages, is that using Outlook 2013 we would have to use the APP password, but would not have to use the APP password if all the clients were using Outlook 2016? 

Would the hybrid server running exchange 2013 be an issue?

Have you checked Credentials manager in Control Panel?  Are users given the option to save their password when prompted by Outlook to authenticate?

 

This is the one that helped me the most with my issue. Thanks @Jay_Scott

Hi Jay, 

 

I presume you restarted your client after editing registry? I've done your method but it's not working.

 

I'm just going to create a new user, delete current one and rename.  

 

@Jay_Scott 

This solved my problem, thank you!

@Christian Taveras 

 

Please be aware that Microsoft has announced that it is going to forbid App passwords (i.e. basic authentication) for clients accessing Outlook Web Services beginning in October of 2020.  I've been testing Outlook on Android and there are currently many issues regarding 2-way, unattended, sync of contact information between Office 365 and Outlook App for Android.  I've reported all of the issues I identified to Outlook App support, and they say they will address them.  I'm also hoping that Android App providers like Samsung Mail App and Google Gmail App will be updated to support Modern Auth.

 

https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Improving-Security-Together/ba-p/805892

 

 

Our issue was mainly with Outlook 2016 client on Windows 10. Long story short, Outlook was communicating to o365 using Modern Auth, but Basic auth. Ran MS SARA which was flicking a switch somewhere in the windows profile which addressed our issue. As far as the outlook app goes. I have pushed a modern Auth Mail Profile to Android and IOS using Itunes without issue.

Doing this the APP is now using the users network pass instead of the APP Password.

This is how we fixed the issue. 

Fix 1 was go to a different PC and setup outlook then export KEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity and then go to the PC that is not working and delete all the keys from within this directory and then import the exported file from the working PC. 

Fix 2

We went to KEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity and removed these entries in the registry.

"ConnectedAccountWamAad"="eba13797-f788-4703-be3b-eb3bcd516147"

"ConnectedWAMIdentity"="eN64CdJkOrIQs11PRFgzde4uBi5v7oEeiNK5ZF4JXFk"

"DisableADALForExtendedApps"=dword:00000000
"DisableADALSetSilentAuth"=dword:00000000

"DisableHttpRequestWinTimings"=dword:00000000

"DisableSessionAwareHttpClose"=dword:00000000

"EnableADAL"=dword:00000000

"Mso99lUpdatedForADALExtendedApps"=dword:00000001

"msoridDisableOstringReplace"=dword:00000000

"msoridDisableGuestCredProvider"=dword:00000000

@Christian Taveras years later (though this thread was still active only a couple of months ago) I have one more potential culprits and an actual solution versus a work around/hack - for everyone's sake hopefully its the solution once and for all, as it should take you 5 minutes to make a single global change.

 

The solution came from continual link following from one of the replies above to Microsoft, back to other forums and in a loop but I pieced together the actual problem and was able to then find the solution. I figured I'd post this to help someone to cut to the chase versus having to following the same rabbit hole I did. I tried SaRA to no avail (just like with a couple of your tenants) and recreating the windows profile was the only solution that seemed reliable - not really an organization wide option.

 

I noticed, like you, I had a problem with some users, not all.  I subsequently identified these users were all older tenants.  I then found an article from Microsoft that said "For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online."

 

Essentially, try as you may with local options when your tenant attempts to authenticate with Exchange Online, O365 is forcing Outlook to use basic auth, not modern auth. So your "switch flicking" from SaRA did something server side not local or it changed something in the local registry that ignored O365 asking for Basic Auth. This could explain why registry hacks work. Andrios, iOS, and OSX applications only have modern auth so they cannot have the problem (:facepalm: only the application native to a Microsoft Operating system).

 

Solution... force all users to Modern Authentication. In retrospect this makes sense as I've noticed new users always got the modern auth prompt even before trying to implement MFA while the old timers like myself had basic auth prompts still pop up occasionally.

 

Note: this assumes you are on 2016/Outlook for Office 365, 2013 users still additionally have to enable ADAL with registry changes first, then you follow the instructions below to enable modern auth with Exchange Online-> https://support.office.com/en-us/article/enable-modern-authentication-for-office-2013-on-windows-dev...

 

Solution in detail:

 

Run Powershell - here is another gotcha, in a fun Microsoft twist of irony if you have MFA enabled for this user you will have to download the Microsoft Exchange Online Remote Powershell Module to get modern auth in the powershell environment.  If your username can log in with basic auth, search->powershell->run as admin.

 

Connect to Exchange Online in PowerShell

Connect-EXOPSSession -UserPrincipalName chris@contoso.com   

(for US based Office 365 - for others, you will need to find the URIs)

 

Enable Modern Authentication in Exchange Online

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true  

 

Check Status of Modern Authentication

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

 

PS C:\Users\StevenOsuch> Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
PS C:\Users\StevenOsuch> Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

              Name                                        OAuth2ClientProfileEnabled
                ----                                               --------------------------
domain.somewhere.com                                            True

 

 

Now open up Outlook, it worked instantly, I didn't even have to provide credentials as it pulled it from my laptop which already had the SSO profile that had been authenticated at login.

 

Retrospectively, looking at the Set-Up MFA for O365 article (https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-aut...), it mentions this as well but this was just updated a couple of days ago so maybe it wasn't there before.

 

Final note, if you still use Skype for Business, you have to enable Modern Auth separately using the Skype specific connection and command prompts.

 

 

Thanks to a post by Phillip Lyle on https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-auth-and-exchange-online-february-20..., I discovered that Samsung Native Email App supports "Modern Auth".  I'm running Version 6.1.11.6 on Android Pie.

 

You have to remove the existing "Basic Auth" account from the email app, and add it back by selecting "Office 365" type of account instead of "Exchange" type of account.

 

As you are doing this, the setup will prompt you with the Microsoft Modern Authentication dialogue box to log you in.

 

This will also re-create your calendars and contacts, so you might have to re-customize things like Calendar Color, Custom Ringtones (which are stored in the Contacts information), and Mail Signatures.  You might want to check all of the settings in Calendar, Contacts, and Mail before removing the "Basic Auth" account instance.

 

Finally, when complete, you might want to delete the App password that you used to authenticate the "Basic Auth" account on Android from your Office 365 account.  Then, if you use a device that you forgot had Basic Auth access to your Exchange Service, the login will be rejected and you can install a Modern Auth app on the forgotten device.

 

 

 

@-Omon- wrote:

Have you tried going into Windows Credential Manager under the user profile and removing the stored Outlook credentials and then starting Outlook again?


That did the trick for my OL 2010 user. After changing her to 2FA Outlook did not prompt for credentials but simply did not connect to the server (EXO) anymore.

Login to Office 365 and create an App password.

Use that password when Outlook asks for a password.

 

If outlook is no longer asking for a password, just remove the password in the credential manager.

 

That did fix it for our organization.

I had this issue just now. Problem was that the customer still used RPC instead of MAPI on-prem. Known issue it seems when migrating/connecting to EXO.

See: https://docs.microsoft.com/nl-nl/outlook/troubleshoot/authentication/outlook-prompt-password-modern-...