Mar 08 2018 09:53 AM
Here's the basic question.
Does Outlook 2016 support MFA enabled MSAs without requiring the use of App Passwords?
In other words, is modern authentication (notification, text, call) capable when wiring up an MSA to Outlook 2016?
Here is why I'm asking. I thought that the answer to this question was yes, but my recent experience is no. I am not talking about Office 365 Azure AD MFA enabled account. I understand the requirement on the Office 365 side to enable the tenant for modern authentication. I am talking about a consumer account (Hotmail.com, live.com, outlook.com). I am not talking about an MSA that is using a duplicate work account. This is a straight MSA.
I've been working with customers to enable MFA on all Office 365 accounts. Many have existing MSAs that they use for personal email and they want those in Outlook 2016, side-by-side with their Office 365 email account. The Office 365 MFA experience is behaving as expected.
I've established MFA on the MSA and it's functioning properly. MFA is active via the web and via mobile, but Outlook 2016 will not present the modern authentication screen when initially wiring up the MSA (using autodiscover, maybe manual would be different). The account can be configured, but it requires the use of an App Password. It's not that it won't work, but rather that App Passwords are really hard to explain to average users. App Passwords add a complexity and confusion that I try to avoid.
I opened a ticket with Office 365 support, but it's slow going. We've spent the better part of two days just going back and forth agreeing on scope. They initially content that it's not within their scope. We've finally come to an agreement so I can move forward, but I find it interesting that a basic question of yes or no it works or doesn't has been so elusive.
So I turn to the community. Have any of you, recently, connected an MFA enabled Microsoft Account (MSA) to Outlook 2016 (desktop) without having to use an app password?
If there is documentation on this specific topic one way or the other, I can't find it. A link would be much appreciated.
Thanks,
Andy Baerst
Mar 08 2018 09:23 PM
I haven't checked the process "recently", but I have my MFA-protected outlook.com account running alongside my MFA-protected O365 account in Outlook with no issues. Have you tried new profile, or different machine?
Mar 08 2018 10:40 PM
Do you remember if, when you initially wired up the account into Outlook 2016, you used an App Password or were able to do it using actual 2-step methods (app notification, text message, code) for identity verification purposes?
Mar 09 2018 07:34 AM
Solution2fa Support for consumer accounts is new to outlook 2016 (should be available in updates this month), so if you need the app password now, you soon won’t. Gmail 2fa support is coming too - I thought in the same update, but haven’t tested it yet.
Mar 09 2018 07:57 PM
To be honest, I don't remember what I used, but I'd trust Diane's answer on this - she's the authority on anything Outlook related :)
Mar 10 2018 07:09 PM
I'm going to go with this answer because this seems to be in line with my observations, but I have to say that Microsoft's documentation is all over the map on this topic. Here's a general one about adding additional accounts to Outlook. It makes a big point about "some" systems that require app passwords and specifically calls out Gmail and Yahoo, but completely leaves Outlook.com off the list even though your answer and my observation say that app passwords are required.
and here's one that makes a big point about using app passwords for Outlook 2010 and earlier with Microsoft consumer account. They could have saved themselves some ink and just said "all version."
https://support.microsoft.com/en-us/help/12409/microsoft-account-app-passwords-two-step-verification
I don't mind a straight answer because I can make a decision, but endless trolling of documentation that never really gets to the point is frustrating.
I'll live with the app password requirement for now.
Thanks.
Mar 11 2018 05:01 AM
Here is an official Microsoft document stating the need for an App Password in Outlook 2016 for Outlook.com accounts with 2FA: https://support.office.com/en-us/article/i-can-t-see-my-outlook-com-email-in-outlook-2016-or-outlook...
Look for: "Important: If you're prompted to enter your credentials repeatedly, two-step verification might be turned on for your Outlook.com account. To fix this issue, you'll need to create an App Password to add the account in Outlook."
Mar 13 2018 01:45 PM
Apr 29 2018 08:10 PM
Yes I have created an app password and submitted that to outlook and it works. BUT outlook still asks for a password every few days (no not all the time, very random), I just hit the x to shut the dialog box and outlook continues to work. Very very annoying though, and should be easily fixed by Microsoft.
At present I am very reluctant to recommend MFA to clients based on my experience with outlook - works ok in all other areas.
May 01 2018 02:44 AM
Such behavior could be not MFA related at all...
Usually, I see Outlook asking randomly for passwords in case of connectivity problems.
Also, have you tried to create a new profile? And what about a different machine: does it happen anyway?
May 02 2018 12:15 AM
Thank you Salvatore, I think you might be right. I ran the Microsoft Support and Recovery Assistant for Office 365 again and it appears to have fixed it - for the moment anyway. It has been a bit random so will wait before claiming total success but here is hoping.
Sep 02 2019 02:34 PM
@Howard Randall @Salvatore Biscari
I'm under the impression that App Passwords completely bypass all MFA; so users who store their App Passwords on paper or digitally are adding a backdoor into their MFA protected environments. I believe SharePoint Online and OneDrive for business have options to prevent access to users using App Passwords, but I believe Exchange Online has no such option. So, a mal-user who obtains a compromised App Password can get to your entire (otherwise MFA protected) Exchange mailbox by using Outlook for the PC.
Mar 09 2018 07:34 AM
Solution2fa Support for consumer accounts is new to outlook 2016 (should be available in updates this month), so if you need the app password now, you soon won’t. Gmail 2fa support is coming too - I thought in the same update, but haven’t tested it yet.