MFA Conditional access policy on outlook 2016

%3CLINGO-SUB%20id%3D%22lingo-sub-299109%22%20slang%3D%22en-US%22%3EMFA%20Conditional%20access%20policy%20on%20outlook%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299109%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%26nbsp%3B%20MFA%20for%20our%20IT%20Staff%20via%20Conditional%20Access%20Policies...%3C%2FP%3E%3CP%3Ewanted%26nbsp%3Bto%20understand%20the%20Outlook%20Client%20experience%20a%20bit%20better.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20it%20possible%20to%20provide%20blogs%20or%20articles%20or%20the%20overview%20of%20it%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-300964%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Conditional%20access%20policy%20on%20outlook%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-300964%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20moving%20your%20question%20to%20the%20Outlook%20space%20for%20better%20visibility.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299459%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Conditional%20access%20policy%20on%20outlook%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299459%22%20slang%3D%22en-US%22%3E%3CP%3ECould%20you%20bit%20a%20bit%20more%20specific%20here%3F%20In%20general%2C%20any%20version%20of%20Outlook%20with%20Modern%20authentication%20enabled%20will%20work%20just%20fine%20with%20CA%20policies.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-723024%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Conditional%20access%20policy%20on%20outlook%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-723024%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BI%20am%20curious%20about%20this.%20We%20just%20set%20up%20conditional%20access%20and%20when%20trying%20to%20authenticate%20users%20in%20Outlook%202016%2C%20it%20just%20continues%20to%20prompt%20for%20a%20password%20and%20will%20not%20work.%20I%20had%20to%20turn%20off%20conditional%20access%20for%20the%20affected%20users%2C%20then%20they%20could%20authenticate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%202%20policies%20for%20conditional%20access.%3C%2FP%3E%3CP%3EThe%20first%20one%20blocks%20the%20log%20in%20to%20any%20apps%20or%20web%20apps%20to%20anyone%20in%20the%20company%20except%20if%20the%20users%20are%20in%20the%20excluded%20group%20and%20they%20must%20be%20located%20at%20one%20of%20our%20offices%20using%20a%20trusted%20IP.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20second%20forces%20the%20users%20in%20the%20excluded%20group%20from%20the%20policy%20above%20to%20use%20MFA%20irregardless%20of%20where%20they%20are%20if%20they%20aren't%20at%20one%20of%20our%20offices.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20configuration%20will%20not%20allow%20the%20users%20to%20use%20Outlook%202016%20on%20their%20laptops%20when%20not%20at%20our%20office.%20It%20continuously%20prompts%20for%20a%20password%2C%20but%20nothing%20ever%20happens.%20I%20read%20that%20conditional%20access%20MFA%20does%20not%20use%20app%20passwords%2C%20so%20that%20is%20not%20an%20option.%20Outlook%202016%20is%20supposed%20to%20be%20able%20use%20modern%20authentication.%20So%20where%20am%20I%20going%20wrong%3F%20I%20need%20to%20have%20these%20user's%20accounts%20protected%20when%20away%20from%20the%20office%2C%20but%20I%20also%20need%20them%20to%20be%20able%20to%20use%20their%20email%20in%20Outlook.%20Please%20help.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

We have  MFA for our IT Staff via Conditional Access Policies...

wanted to understand the Outlook Client experience a bit better.

 

is it possible to provide blogs or articles or the overview of it

3 Replies
Highlighted

Could you bit a bit more specific here? In general, any version of Outlook with Modern authentication enabled will work just fine with CA policies.

Highlighted

I'm moving your question to the Outlook space for better visibility.

Highlighted

@Vasil Michev I am curious about this. We just set up conditional access and when trying to authenticate users in Outlook 2016, it just continues to prompt for a password and will not work. I had to turn off conditional access for the affected users, then they could authenticate.

 

We have 2 policies for conditional access.

The first one blocks the log in to any apps or web apps to anyone in the company except if the users are in the excluded group and they must be located at one of our offices using a trusted IP. 

The second forces the users in the excluded group from the policy above to use MFA irregardless of where they are if they aren't at one of our offices. 

 

This configuration will not allow the users to use Outlook 2016 on their laptops when not at our office. It continuously prompts for a password, but nothing ever happens. I read that conditional access MFA does not use app passwords, so that is not an option. Outlook 2016 is supposed to be able use modern authentication. So where am I going wrong? I need to have these user's accounts protected when away from the office, but I also need them to be able to use their email in Outlook. Please help.