SOLVED

After a hybrid migration to Exchange Online Outlook clients not switching over.

Copper Contributor

Migrating users from Exchange 2010 to O365. Clients are using Outlook 2016 MSI install. After a successful migration, Outlook goes into the "disconnected" state and doesn't prompt for O365 credentials. HOWEVER, if I go into control panel and create a new profile it sets right up with the O365 account but here is the CRAZY part. After I create that new profile, I don't need to use it. I just launch the old profile and it connects to O365 not problem. Of course the new profile works as well. When it is in the disconnected state prior to creating the new profile, if I do an autodiscover test from the systray it works just fine and finds the O365 mailbox. Tried rebooting and disabling add-ins.

 

Some other things you might ask about...

  • They are using password sync and native O365 authentication/multifactor.
  • There is no problem with modern auth.
  • The profiles were originally set up with upns of john.smith@xyz.local but now they are john.smith@xyz.com 
10 Replies

@Rob Axelrod 

 

That is an odd one.  I would have immediately suggested autodiscover as the issue if you hadn't succeeded with the systray test.  

 

Maybe try running the Support and Recovery Assistant on one of the affected machines to see if that;

 

A). Sheds anymore light on the issue.

B). Corrects the problem without you having to create the separate new profile.

 

You can find the SARA tool at https://www.microsoft.com/en-us/download/100607

@PeterRising 

 

Thanks Peter,

 

SARA is a good idea and I'll give it a shot but I really need to get to the root cause of the problem because this was a small pilot of about 10 users and I'm going to need to migrate another 500 or so for this organization so I need to figure out something proactive. I know as a last resort I can push a GPO and force a rebuild of the profile if I need to but what's the fun of doing a hybrid migration if you can't keep your old profile. I'll let you know what SARA tells me. In the mean time I'm setting up a test so I can do some Fidler traces when the client comes up and can't figure out what to do...maybe that will show something. It almost seems like the client isn't in the mood to do autodiscover until you poke at the config with a new profile.

best response confirmed by Rob Axelrod (Copper Contributor)
Solution

@Rob Axelrod Hello, not in my comfort zone here but I've heard of an almost identical issue before where they disabled MFA (temporarily) to get it to work.

 

If that's not the case maybe this is applicable

https://support.microsoft.com/en-us/help/3073002/after-migration-to-office-365-outlook-doesn-t-conne...

@Rob Axelrod Yes I agree that for that many migrations you need a resolution, not a workaround ideally.

 

Did this happen on every one of the pilot migrations?

 

@ChristianBergstrom As ever my friend, some very useful ideas.  With modern authentication enabled, MFA should not be an issue, but you just never know.  :smile:

@ChristianBergstrom 

 

Thanks for your tips!

You first inclination was 100% correct.

 

I did a Fiddler trace on the test workstation as Outlook was trying to do Autodiscover to set itself up for the first time connecting to the cloud. I saw that it was failing to connect to O365's autodiscover service with an HTTP error of 456. Did a little research and determined that it is tied to multifactor authentication and conditional access configuration. Not sure why it works fine if you are setting up a new profile, etc but when I excluded the test account from the conditional access policy it immediately started working.
 
So now the question is what is it about the conditional access policy that conflicts with the reconfiguration of Outlook? It isn't a problem when setting up a new profile, only on the switch from on-prem to the cloud. I used this blog post to help track down the issue with that e: https://bloggymcblogface.blog/error-456-for-exchange-online-autodiscover/

@Rob Axelrod Hey Rod! Glad to hear that the solution worked for you! But I can't say I know what's going on as the "456 authentication error" should indicate that MFA is enabled for your account while modern authentication is not enabled in EXO. Perhaps open a MS ticket as you said all those settings are OK.

 

@PeterRising Any idea?

I have a ticket open to look at the conditional access settings. Modern Auth is definately enabled since every other scenario works just fine except for the specific act of transitioning the Outlook client from on prem to the cloud post hybrid finalization. I think the answer is going to be tweaking my conditional access config so that the "Other Clients" setting isn't checked in the policy that requires multi factor.

@Rob Axelrod Great! Would you mind sharing the response when you get it? Thanks!

@Rob Axelrod I have no idea which particular CA policy setting might be at fault I'm afraid.  Definitely one for MS ticket.  As @ChristianBergstrom says, I'd be interested to hear the outcome as well.

@Rob Axelrod I'm also interested in knowing Ms's response to your ticket. I am doing a migration and I have encountered the same problem. Thanks.

1 best response

Accepted Solutions
best response confirmed by Rob Axelrod (Copper Contributor)
Solution

@Rob Axelrod Hello, not in my comfort zone here but I've heard of an almost identical issue before where they disabled MFA (temporarily) to get it to work.

 

If that's not the case maybe this is applicable

https://support.microsoft.com/en-us/help/3073002/after-migration-to-office-365-outlook-doesn-t-conne...

View solution in original post