SOLVED

MFA with Outlook 2016 on the desktop and Skype 2016

%3CLINGO-SUB%20id%3D%22lingo-sub-2339%22%20slang%3D%22en-US%22%3EMFA%20with%20Outlook%202016%20on%20the%20desktop%20and%20Skype%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2339%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20special%20settings%20for%20MFA%26nbsp%3Bto%20work%20with%26nbsp%3BOutlook%202016%20on%20the%20desktop%20and%20Skype%202016%3F%26nbsp%3B%20After%20enabling%26nbsp%3BMFA%20for%20my%20ID%2C%20the%20WINDOWS%20SECURITY%20dialogue%20(wanting%20my%26nbsp%3BO365%20credentials)%26nbsp%3Bdoes%20not%20accept%20my%20password.%26nbsp%3B%20My%20credentials%20work%20other%20places%20so%20know%20it%20is%20not%20a%20credentials%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-293841%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Outlook%202016%20on%20the%20desktop%20and%20Skype%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-293841%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1313%22%20target%3D%22_blank%22%3E%40Paul%20Beiler%3C%2FA%3E%3C%2FP%3E%3CP%3EIn%20order%20to%20use%20MFA%20with%20Skype%20For%20Business%2C%20We%20need%20to%20enable%20modern%20authentication%20for%20Skype%20for%20Business%20Online.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EThis%20article%20explains%20how%20to%20enable%20your%20Skype%20for%20Business%20Online%20tenant%20to%20support%20modern%20authentication.%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESteps%20to%20enable%20modern%20authentication%20for%20Skype%20for%20Business%20Online%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FSkypePowerShell%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EConnect%20to%20Skype%20for%20Business%20Online%20using%20remote%20PowerShell%3A%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ECheck%20the%20current%20status%20of%20ClientAdalAuthOverride%20attribute.%3CBR%20%2F%3E%3CEM%3EGet-CsOAuthConfiguration%20%7C%20FL%20*ClientAdalAuthOverride*%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3ENow%20run%20the%20following%20command%20to%20enable%20modern%20authentication%20for%20Skype%20for%20Business%20Online.%3CBR%20%2F%3E%3CEM%3ESet-CsOAuthConfiguration%20-ClientAdalAuthOverride%20Allowed%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3EVerify%20that%20the%20change%20was%20successful%20by%20running%20the%20following%3A%3CBR%20%2F%3E%3CEM%3EGet-CsOAuthConfiguration%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EPost%20making%20the%20PowerShell%20changes%20it%20may%20take%2015%20minutes%20to%20couple%20of%20hours%20for%20the%20changes%20to%20take%20affect.%3CBR%20%2F%3E%3CBR%20%2F%3ERef%20Link%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESkype%20for%20Business%20Online%3A%20Enable%20your%20tenant%20for%20modern%20authentication%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fskypeforbusiness%2Fplan-your-deployment%2Fmodern-authentication%2Ftopologies-supported%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESkype%20for%20Business%20topologies%20supported%20with%20Modern%20Authentication%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fenable-or-disable-modern-authentication-in-exchange-online%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EEnable%20or%20disable%20modern%20authentication%20in%20Exchange%20Online%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F32211.modern-authentication-behavior-across-office-2013-and-office-2016.aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EModern%20authentication%20behavior%20across%20Office%202013%20and%20Office%202016%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%3CBR%20%2F%3EMukesh%20Rawat%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276675%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Outlook%202016%20on%20the%20desktop%20and%20Skype%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276675%22%20slang%3D%22en-US%22%3E%3CP%3EYour%20setup%20requires%20passwords.%26nbsp%3B%20An%20app-password%20is%20a%20valid%20password.%26nbsp%3B%20It%20never%20expires%2C%20thus%20not%20ideal.%26nbsp%3B%20When%20you%20are%20asked%20for%20the%20password%2C%20you%20either%20give%20it%20the%20never-expiring%20app-password%2C%20or%20your%20normal%20one.%26nbsp%3B%20In%20your%20case%2C%20when%20you%20give%20it%20the%20normal%20one%2C%20MFA%20kicks%20in.%26nbsp%3B%20(An%20App-Password%20replaces%20MFA%20and%20was%20a%20work-around%20for%20apps%20that%20did%20not%20work%20with%20MFA).%26nbsp%3B%20I%20suspect%20your%20old%20iPhone%20Mail%20app%20knows%20your%20App-Password%2C%20thus%20never%20asking%20for%20it.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20setup%20more%20verification%20methods%20(authenticator%2C%20etc).%26nbsp%3B%20Go%20to%20%E2%80%A6%20%3CA%20href%3D%22https%3A%2F%2FMyApps.Microsoft.com%2C%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FMyApps.Microsoft.com%2C%26nbsp%3B%3C%2FA%3E%20click%20on%20your%20photo%2C%20go%20to%20profile%2C%20go%20to%20Additional%20Security%20Verification.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276670%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Outlook%202016%20on%20the%20desktop%20and%20Skype%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276670%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20app%20password%20isn't%20the%20only%20way.%3C%2FP%3E%3CP%3EMy%20iphone%2010%20mail%20client%20allows%20me%20to%20sign%20in%20with%20my%20password%20and%20then%20I%20get%20a%20text%20with%20an%20MFA%20code%20and%20enter%20that%20in%20when%20adding%20my%20company%20account.%26nbsp%3B%20%26nbsp%3B%20My%20last%20company%2C%20used%20MFA%20with%20outlook%202016%20without%20using%20app%20passwords.%26nbsp%3B%20It%20worked%20after%20enabling%20modern%20auth%20in%20exchange.%3C%2FP%3E%3CP%3EI%20assume%20that%20because%20my%20iphone%20mail%20client%20doesn't%20require%20an%20app%20password%20that%20modern%20auth%20is%20already%20enabled.%26nbsp%3B%20%26nbsp%3BSo%20why%20is%20my%20outlook%20client%20that%20I%20just%20downloaded%20from%20O365%20today%20requiring%20app%20passwords.%26nbsp%3B%20There%20has%20to%20be%20a%20setting.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20is%20there%20a%20way%20to%20use%20the%20microsoft%20authenticator%20instead%20of%20text.%26nbsp%3B%20%26nbsp%3BTexts%20don't%20always%20come%20through%20in%20a%20timely%20maner.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-4479%22%20slang%3D%22en-US%22%3ERE%3A%20MFA%20with%20Outlook%202016%20on%20the%20desktop%20and%20Skype%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-4479%22%20slang%3D%22en-US%22%3EAre%20you%20using%20Office%20365's%20MFA%3F%20That%20definitely%20works%20with%20Outlook%202016%2FSkype%20for%20Business%20and%20brings%20up%20the%20modern%20auth%20dialog.%20(I%20approve%20it%20using%20the%20auth%20app%20on%20my%20iPhone.)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-4472%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Outlook%202016%20on%20the%20desktop%20and%20Skype%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-4472%22%20slang%3D%22en-US%22%3E%3CP%3EQuick%20Follow%20up%20...%20Microsoft%20has%20a%20setting%20solution%2C%20to%20enable%20MFA%20for%20Exchange%20Online%20and%20Skype%202016%2C%20rather%20than%20using%20APP%20PASSWORD.%26nbsp%3B%20Powershell%20is%20needed%20to%20make%26nbsp%3Bthis%20change.%20But%20MFA%20does%20not%20yet%20work%20when%20connecting%20to%20Exchange%20Online%20with%20Powershell.%20MFA%20does%20work%20for%20connecting%20to%20Azure%20AD%20with%20Powershell.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20MFA%20needs%20to%20mature%20to%20the%20point%20where%20one%20can%20connect%20with%20Powershell.%20Hmmm.%20I%20want%20MFA%20turned%20on%20for%20admins.%20Then%20my%20admins%20will%20not%20be%20able%20to%20use%20Powershell%20to%20do%20their%20admin%20work.%26nbsp%3B%20Hope%20to%20be%20proven%20wrong%20soon%2C%20on%20using%20MFA%20and%20Powershell%20for%20connecting%20to%20Exchange%20Online.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3710%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Outlook%202016%20on%20the%20desktop%20and%20Skype%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3710%22%20slang%3D%22en-US%22%3EThank%20you!%20I%20will%20definitely%20check%20this%20out.%20I%20have%20the%20AD%20Premium%2C%20so%20it%20may%20be%20my%20solution.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3708%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Outlook%202016%20on%20the%20desktop%20and%20Skype%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3708%22%20slang%3D%22en-US%22%3EThis%20should%20give%20you%20more%20info.%20I'm%20not%20the%20MFA%20guy%20in%20our%20org%20but%20I%20know%20they%20fixed%20the%20Skype%20calendar%20issue%20when%20MFA%20is%20enabled%20with%20this%3A%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-gb%2Fdocumentation%2Farticles%2Factive-directory-conditional-access%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-gb%2Fdocumentation%2Farticles%2Factive-directory-conditional-access%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3705%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Outlook%202016%20on%20the%20desktop%20and%20Skype%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3705%22%20slang%3D%22en-US%22%3E%3CP%3E...Conditional%20access%3F%26nbsp%3B%20Can%20you%20breifly%20describe%3F%26nbsp%3B%20Are%20you%26nbsp%3Breferring%20to%20Microsoft's%20Powershell%20solution%2C%20enabling%26nbsp%3B%20Exchange%20online%20and%20Skype%20for%20MFA.%26nbsp%3B%20I%20haven't%20done%20this%20yet%20but%20was%20going%20to%20test.%26nbsp%3B%20I'm%20told%20this%20will%20take%20care%20of%20it%20(so%20I%20don't%20need%20to%20do%20the%20App%20Password)%26nbsp%3Bbut%20need%20to%20test.%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-gb%2Farticle%2FUsing-Office-365-modern-authentication-with-Office-clients-776c0036-66fd-41cb-8928-5495c0f9168a%3Fui%3Den-US%26amp%3Brs%3Den-GB%26amp%3Bad%3DGB%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-gb%2Farticle%2FUsing-Office-365-modern-authentication-with-Office-clients-776c0036-66fd-41cb-8928-5495c0f9168a%3Fui%3Den-US%26amp%3Brs%3Den-GB%26amp%3Bad%3DGB%3C%2FA%3E%3C%2FP%3E%3CP%3EDetails%20in%20the%26nbsp%3BGETTING%20STARTING%20WITH%20MODERN%20AUTHENTICATION%20section.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3702%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Outlook%202016%20on%20the%20desktop%20and%20Skype%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3702%22%20slang%3D%22en-US%22%3EWe%20have%20managed%20to%20get%20around%20this%20with%20conditional%20access%20for%20MFA%20so%20that%20we%20don't%20nee%20to%20use%20App%20Passwords%20to%20get%20Exchange%20Online%20integration%20in%20Skype%20for%20Business.%3CBR%20%2F%3E%3CBR%20%2F%3EMatt%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2371%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Outlook%202016%20on%20the%20desktop%20and%20Skype%202016%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2371%22%20slang%3D%22en-US%22%3E%3CP%3ESetting%20MFA%20requres%20you%20to%20generate%20an%20App%20Passord%20for%20Outlook%202016%2C%20please%20see%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fc7solutions.com%2F2015%2F03%2Fhow-to-change-your-office-365-app-password%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHow%20to%20change%20your%20Ofjice365%20App%20Password%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHal%3C%2FP%3E%3CP%3E--%3C%2FP%3E%3CP%3EHal%20Hostetler%2C%20CPBE%3C%2FP%3E%3CP%3EBroadcast%20Engineer%2FIT%20Pro%3C%2FP%3E%3CP%3EMS%20MVP-Outlook%20-%20WA7BGX%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.rolandschorr.com%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.rolandschorr.com%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Is there a special settings for MFA to work with Outlook 2016 on the desktop and Skype 2016?  After enabling MFA for my ID, the WINDOWS SECURITY dialogue (wanting my O365 credentials) does not accept my password.  My credentials work other places so know it is not a credentials issue.

10 Replies
Highlighted
Best Response confirmed by Paul Beiler (Frequent Contributor)
Solution

Setting MFA requres you to generate an App Passord for Outlook 2016, please see:

 

How to change your Ofjice365 App Password

Hal

--

Hal Hostetler, CPBE

Broadcast Engineer/IT Pro

MS MVP-Outlook - WA7BGX

www.rolandschorr.com

 

Highlighted
We have managed to get around this with conditional access for MFA so that we don't nee to use App Passwords to get Exchange Online integration in Skype for Business.

Matt
Highlighted

...Conditional access?  Can you breifly describe?  Are you referring to Microsoft's Powershell solution, enabling  Exchange online and Skype for MFA.  I haven't done this yet but was going to test.  I'm told this will take care of it (so I don't need to do the App Password) but need to test.   

https://support.office.com/en-gb/article/Using-Office-365-modern-authentication-with-Office-clients-...

Details in the GETTING STARTING WITH MODERN AUTHENTICATION section. 

Highlighted
This should give you more info. I'm not the MFA guy in our org but I know they fixed the Skype calendar issue when MFA is enabled with this: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-conditional-access/
Highlighted
Thank you! I will definitely check this out. I have the AD Premium, so it may be my solution.
Highlighted

Quick Follow up ... Microsoft has a setting solution, to enable MFA for Exchange Online and Skype 2016, rather than using APP PASSWORD.  Powershell is needed to make this change. But MFA does not yet work when connecting to Exchange Online with Powershell. MFA does work for connecting to Azure AD with Powershell.

So MFA needs to mature to the point where one can connect with Powershell. Hmmm. I want MFA turned on for admins. Then my admins will not be able to use Powershell to do their admin work.  Hope to be proven wrong soon, on using MFA and Powershell for connecting to Exchange Online.

Highlighted
Are you using Office 365's MFA? That definitely works with Outlook 2016/Skype for Business and brings up the modern auth dialog. (I approve it using the auth app on my iPhone.)
Highlighted

I know app password isn't the only way.

My iphone 10 mail client allows me to sign in with my password and then I get a text with an MFA code and enter that in when adding my company account.    My last company, used MFA with outlook 2016 without using app passwords.  It worked after enabling modern auth in exchange.

I assume that because my iphone mail client doesn't require an app password that modern auth is already enabled.   So why is my outlook client that I just downloaded from O365 today requiring app passwords.  There has to be a setting.

 

Also, is there a way to use the microsoft authenticator instead of text.   Texts don't always come through in a timely maner.

Highlighted

Your setup requires passwords.  An app-password is a valid password.  It never expires, thus not ideal.  When you are asked for the password, you either give it the never-expiring app-password, or your normal one.  In your case, when you give it the normal one, MFA kicks in.  (An App-Password replaces MFA and was a work-around for apps that did not work with MFA).  I suspect your old iPhone Mail app knows your App-Password, thus never asking for it.  

 

You can setup more verification methods (authenticator, etc).  Go to … https://MyApps.Microsoft.com,  click on your photo, go to profile, go to Additional Security Verification.  

Highlighted

@Paul Beiler

In order to use MFA with Skype For Business, We need to enable modern authentication for Skype for Business Online.
This article explains how to enable your Skype for Business Online tenant to support modern authenti...

 

Steps to enable modern authentication for Skype for Business Online
Connect to Skype for Business Online using remote PowerShell:

Check the current status of ClientAdalAuthOverride attribute.
Get-CsOAuthConfiguration | FL *ClientAdalAuthOverride*

Now run the following command to enable modern authentication for Skype for Business Online.
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Verify that the change was successful by running the following:
Get-CsOAuthConfiguration


Post making the PowerShell changes it may take 15 minutes to couple of hours for the changes to take affect.

Ref Link
Skype for Business Online: Enable your tenant for modern authentication
Skype for Business topologies supported with Modern Authentication
Enable or disable modern authentication in Exchange Online
Modern authentication behavior across Office 2013 and Office 2016

Regards
Mukesh Rawat