Mar 20 2020 06:58 AM
Mar 20 2020 06:58 AM
I am still being prompted to use app passwords for my Windows 10 Business desktop version of Outlook (Office 365 version) even though I am running it on Windows 10 Business (Azure AD Joined), from an Azure AD user profile.
I've enabled a Conditional Access policy to enable MFA for Modern Authentication apps but I'm still never prompted for Passwordless Signin MFA when I launch Outlook.
I do get the Passwordless Signin when I log into Outlook web.
Any ideas on why I'm not being prompted for MFA when launching my native Windows desktop apps?
Mar 20 2020 11:36 AM
Modern auth needs to be enabled server-side first, and while this should now be true for all tenants, I'd suggest you verify just in case. Also, client side it can be disabled via GPO/reg keys, so cover that as well.
Mar 23 2020 08:50 AM
Modern authentication is definitely enabled on the backend.
What other things should I be checking to identify why my desktop apps don't get prompted for 2FA?
Mar 23 2020 09:04 AM
Hi, Azure AD sign-in logs are useful, search for the entries that correspond with the activity you have mentioned and see what CA policies are applying or being skipped. Also, I'd play around with the what if tool to model your expectations.
Also be aware in some circumstances a trusted device won't always prompt for MFA, as the device itself is considered the second factor.
Mar 23 2020 09:39 AM
I'm not familiar with the "What If" tool?
Mar 23 2020 10:06 AM
I already gave you the list of things to check, if you mean the actual keys, this article lists them: https://docs.microsoft.com/en-us/exchange/troubleshoot/modern-authentication/modern-authentication-c...
The best tool to use in troubleshooting is Fiddler, or anything else that can capture a network trace. But at this point, you can just show us what exactly you are seeing in Outlook, for example when configuring a new profile.
Mar 23 2020 10:37 AM
Here it is, I use whenever I am working on CA along with the Azure AD sign-in logs, it tells you a lot on what's happening.
The below shows activity in Outlook desktop client when the user was interrupted to register for MFA after signing in, per the requirement.
Here is a bit more info on trusted devices NOT prompting for MFA in some circumstances here which is by design.
Mar 27 2020 09:19 AM
Ah OK this makes more sense to me, if the theory is that if I'm logging into an Azure AD Joined device, then that initial login is what the native Office 365 desktop apps consider to be the 'second auth' method.
However, at first setup, I'm still required to use an App Password when initially configuring my Outlook 365 clients on these Azure AD Joined devices. Is that the expected behavior, even with Modern Auth enabled on the backend?