‎Not being prompted for MFA on Outlook 365 desktop, even with Modern Auth enabled?‎

%3CLINGO-SUB%20id%3D%22lingo-sub-1241681%22%20slang%3D%22en-US%22%3E%E2%80%8ENot%20being%20prompted%20for%20MFA%20on%20Outlook%20365%20desktop%2C%20even%20with%20Modern%20Auth%20enabled%3F%E2%80%8E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1241681%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20still%20being%20prompted%20to%20use%20app%20passwords%20for%20my%20Windows%2010%20Business%20desktop%20version%20of%20Outlook%20(Office%20365%20version)%20even%20though%20I%20am%20running%20it%20on%20Windows%2010%20Business%20(Azure%20AD%20Joined)%2C%20from%20an%20Azure%20AD%20user%20profile.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI've%20enabled%20a%20Conditional%20Access%20policy%20to%20enable%20MFA%20for%20Modern%20Authentication%20apps%20but%20I'm%20still%20never%20prompted%20for%20Passwordless%20Signin%20MFA%20when%20I%20launch%20Outlook.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20do%20get%20the%20Passwordless%20Signin%20when%20I%20log%20into%20Outlook%20web.%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20ideas%20on%20why%20I'm%20not%20being%20prompted%20for%20MFA%20when%20launching%20my%20native%20Windows%20desktop%20apps%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1241681%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMFA%20Azure%20and%20Office%20Admin%20Portal%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emodern%20authentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1242380%22%20slang%3D%22en-US%22%3ERe%3A%20%E2%80%8ENot%20being%20prompted%20for%20MFA%20on%20Outlook%20365%20desktop%2C%20even%20with%20Modern%20Auth%20enabled%3F%E2%80%8E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1242380%22%20slang%3D%22en-US%22%3E%3CP%3EModern%20auth%20needs%20to%20be%20enabled%20server-side%20first%2C%20and%20while%20this%20should%20now%20be%20true%20for%20all%20tenants%2C%20I'd%20suggest%20you%20verify%20just%20in%20case.%20Also%2C%20client%20side%20it%20can%20be%20disabled%20via%20GPO%2Freg%20keys%2C%20so%20cover%20that%20as%20well.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1247031%22%20slang%3D%22en-US%22%3ERe%3A%20%E2%80%8ENot%20being%20prompted%20for%20MFA%20on%20Outlook%20365%20desktop%2C%20even%20with%20Modern%20Auth%20enabled%3F%E2%80%8E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1247031%22%20slang%3D%22en-US%22%3E%3CP%3EModern%20authentication%20is%20definitely%20enabled%20on%20the%20backend.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20other%20things%20should%20I%20be%20checking%20to%20identify%20why%20my%20desktop%20apps%20don't%20get%20prompted%20for%202FA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1247065%22%20slang%3D%22en-US%22%3ERe%3A%20%E2%80%8ENot%20being%20prompted%20for%20MFA%20on%20Outlook%20365%20desktop%2C%20even%20with%20Modern%20Auth%20enabled%3F%E2%80%8E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1247065%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20Azure%20AD%20sign-in%20logs%20are%20useful%2C%20search%20for%20the%20entries%20that%20correspond%20with%20the%20activity%20you%20have%20mentioned%20and%20see%20what%20CA%20policies%20are%20applying%20or%20being%20skipped.%26nbsp%3B%20Also%2C%20I'd%20play%20around%20with%20the%20what%20if%20tool%20to%20model%20your%20expectations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20be%20aware%20in%20some%20circumstances%20a%20trusted%20device%20won't%20always%20prompt%20for%20MFA%2C%20as%20the%20device%20itself%20is%20considered%20the%20second%20factor.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1247159%22%20slang%3D%22en-US%22%3ERe%3A%20%E2%80%8ENot%20being%20prompted%20for%20MFA%20on%20Outlook%20365%20desktop%2C%20even%20with%20Modern%20Auth%20enabled%3F%E2%80%8E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1247159%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2395%22%20target%3D%22_blank%22%3E%40Cian%20Allner%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20familiar%20with%20the%20%22What%20If%22%20tool%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1247248%22%20slang%3D%22en-US%22%3ERe%3A%20%E2%80%8ENot%20being%20prompted%20for%20MFA%20on%20Outlook%20365%20desktop%2C%20even%20with%20Modern%20Auth%20enabled%3F%E2%80%8E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1247248%22%20slang%3D%22en-US%22%3E%3CP%3EI%20already%20gave%20you%20the%20list%20of%20things%20to%20check%2C%20if%20you%20mean%20the%20actual%20keys%2C%20this%20article%20lists%20them%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftroubleshoot%2Fmodern-authentication%2Fmodern-authentication-configuration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftroubleshoot%2Fmodern-authentication%2Fmodern-authentication-configuration%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20best%20tool%20to%20use%20in%20troubleshooting%20is%20Fiddler%2C%20or%20anything%20else%20that%20can%20capture%20a%20network%20trace.%20But%20at%20this%20point%2C%20you%20can%20just%20show%20us%20what%20exactly%20you%20are%20seeing%20in%20Outlook%2C%20for%20example%20when%20configuring%20a%20new%20profile.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1247357%22%20slang%3D%22en-US%22%3ERe%3A%20%E2%80%8ENot%20being%20prompted%20for%20MFA%20on%20Outlook%20365%20desktop%2C%20even%20with%20Modern%20Auth%20enabled%3F%E2%80%8E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1247357%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F86092%22%20target%3D%22_blank%22%3E%40Robert%20Gordon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20it%20is%2C%20I%20use%20whenever%20I%20am%20working%20on%20CA%20along%20with%20the%20Azure%20AD%20sign-in%20logs%2C%20it%20tells%20you%20a%20lot%20on%20what's%20happening.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fwhat-if-tool%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fwhat-if-tool%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AAD_WI.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178924iD2C9E5A26C6BCD1C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22AAD_WI.png%22%20alt%3D%22AAD_WI.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20below%20shows%20activity%20in%20Outlook%20desktop%20client%20when%20the%20user%20was%20interrupted%20to%20register%20for%20MFA%20after%20signing%20in%2C%20per%20the%20requirement.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AAD_SI.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178925i4FE077310AF7FFD1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22AAD_SI.png%22%20alt%3D%22AAD_SI.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EHere%20is%20a%20bit%20more%20info%20on%20trusted%20devices%20NOT%20prompting%20for%20MFA%20in%20some%20circumstances%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory%2Frequire-mfa-on-azure-ad-joined-devices%2Fm-p%2F1169607%2Fhighlight%2Ftrue%23M3901%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E%20which%20is%20by%20design.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1259504%22%20slang%3D%22en-US%22%3ERe%3A%20%E2%80%8ENot%20being%20prompted%20for%20MFA%20on%20Outlook%20365%20desktop%2C%20even%20with%20Modern%20Auth%20enabled%3F%E2%80%8E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1259504%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2395%22%20target%3D%22_blank%22%3E%40Cian%20Allner%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAh%20OK%20this%20makes%20more%20sense%20to%20me%2C%20if%20the%20theory%20is%20that%20if%20I'm%20logging%20into%20an%20Azure%20AD%20Joined%20device%2C%20then%20that%20initial%20login%20is%20what%20the%20native%20Office%20365%20desktop%20apps%20consider%20to%20be%20the%20'second%20auth'%20method.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20at%20first%20setup%2C%20I'm%20still%20required%20to%20use%20an%20App%20Password%20when%20initially%20configuring%20my%20Outlook%20365%20clients%20on%20these%20Azure%20AD%20Joined%20devices.%26nbsp%3B%26nbsp%3B%20Is%20that%20the%20expected%20behavior%2C%20even%20with%20Modern%20Auth%20enabled%20on%20the%20backend%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

I am still being prompted to use app passwords for my Windows 10 Business desktop version of Outlook (Office 365 version) even though I am running it on Windows 10 Business (Azure AD Joined), from an Azure AD user profile.

I've enabled a Conditional Access policy to enable MFA for Modern Authentication apps but I'm still never prompted for Passwordless Signin MFA when I launch Outlook.

I do get the Passwordless Signin when I log into Outlook web.

Any ideas on why I'm not being prompted for MFA when launching my native Windows desktop apps?

7 Replies
Highlighted

Modern auth needs to be enabled server-side first, and while this should now be true for all tenants, I'd suggest you verify just in case. Also, client side it can be disabled via GPO/reg keys, so cover that as well. 

Highlighted

Modern authentication is definitely enabled on the backend.  

 

What other things should I be checking to identify why my desktop apps don't get prompted for 2FA?

Highlighted

Hi, Azure AD sign-in logs are useful, search for the entries that correspond with the activity you have mentioned and see what CA policies are applying or being skipped.  Also, I'd play around with the what if tool to model your expectations.

 

Also be aware in some circumstances a trusted device won't always prompt for MFA, as the device itself is considered the second factor.

Highlighted
Highlighted

I already gave you the list of things to check, if you mean the actual keys, this article lists them: https://docs.microsoft.com/en-us/exchange/troubleshoot/modern-authentication/modern-authentication-c...

 

The best tool to use in troubleshooting is Fiddler, or anything else that can capture a network trace. But at this point, you can just show us what exactly you are seeing in Outlook, for example when configuring a new profile.

Highlighted

@OneTechBeyond 

 

Here it is, I use whenever I am working on CA along with the Azure AD sign-in logs, it tells you a lot on what's happening.  

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/what-if-tool

 

AAD_WI.png

 

The below shows activity in Outlook desktop client when the user was interrupted to register for MFA after signing in, per the requirement.

 

AAD_SI.png

Here is a bit more info on trusted devices NOT prompting for MFA in some circumstances here which is by design. 

Highlighted

@Cian Allner,

 

Ah OK this makes more sense to me, if the theory is that if I'm logging into an Azure AD Joined device, then that initial login is what the native Office 365 desktop apps consider to be the 'second auth' method.

 

However, at first setup, I'm still required to use an App Password when initially configuring my Outlook 365 clients on these Azure AD Joined devices.   Is that the expected behavior, even with Modern Auth enabled on the backend?