SOLVED

Outlook 2016 with MFA enabled MSA

Highlighted
Occasional Contributor

Here's the basic question.

 

Does Outlook 2016 support MFA enabled MSAs without requiring the use of App Passwords?

 

In other words, is modern authentication (notification, text, call) capable when wiring up an MSA to Outlook 2016?

 

Here is why I'm asking. I thought that the answer to this question was yes, but my recent experience is no. I am not talking about Office 365 Azure AD MFA enabled account. I understand the requirement on the Office 365 side to enable the tenant for modern authentication. I am talking about a consumer account (Hotmail.com, live.com, outlook.com). I am not talking about an MSA that is using a duplicate work account. This is a straight MSA.

 

I've been working with customers to enable MFA on all Office 365 accounts. Many have existing MSAs that they use for personal email and they want those in Outlook 2016, side-by-side with their Office 365 email account. The Office 365 MFA experience is behaving as expected.

 

I've established MFA on the MSA and it's functioning properly. MFA is active via the web and via mobile, but Outlook 2016 will not present the modern authentication screen when initially wiring up the MSA (using autodiscover, maybe manual would be different). The account can be configured, but it requires the use of an App Password. It's not that it won't work, but rather that App Passwords are really hard to explain to average users. App Passwords add a complexity and confusion that I try to avoid.

 

I opened a ticket with Office 365 support, but it's slow going. We've spent the better part of two days just going back and forth agreeing on scope. They initially content that it's not within their scope. We've finally come to an agreement so I can move forward, but I find it interesting that a basic question of yes or no it works or doesn't has been so elusive.

 

So I turn to the community. Have any of you, recently, connected an MFA enabled Microsoft Account (MSA) to Outlook 2016 (desktop) without having to use an app password?

 

If there is documentation on this specific topic one way or the other, I can't find it. A link would be much appreciated.

 

Thanks,

Andy Baerst

11 Replies
Highlighted

I haven't checked the process "recently", but I have my MFA-protected outlook.com account running alongside my MFA-protected O365 account in Outlook with no issues. Have you tried new profile, or different machine?

Highlighted

Do you remember if, when you initially wired up the account into Outlook 2016, you used an App Password or were able to do it using actual 2-step methods (app notification, text message, code) for identity verification purposes?

Highlighted
Best Response confirmed by Andy Baerst (Occasional Contributor)
Solution

2fa Support for consumer accounts is new to outlook 2016 (should be available in updates this month), so if you need the app password now, you soon won’t. Gmail 2fa support is coming too - I thought in the same update, but haven’t tested it yet. 

Highlighted

To be honest, I don't remember what I used, but I'd trust Diane's answer on this - she's the authority on anything Outlook related :)

Highlighted

I'm going to go with this answer because this seems to be in line with my observations, but I have to say that Microsoft's documentation is all over the map on this topic. Here's a general one about adding additional accounts to Outlook. It makes a big point about "some" systems that require app passwords and specifically calls out Gmail and Yahoo, but completely leaves Outlook.com off the list even though your answer and my observation say that app passwords are required.

 

https://support.office.com/en-us/article/Add-an-email-account-to-Outlook-6e27792a-9267-4aa4-8bb6-c84...

 

and here's one that makes a big point about using app passwords for Outlook 2010 and earlier with Microsoft consumer account. They could have saved themselves some ink and just said "all version."

https://support.microsoft.com/en-us/help/12409/microsoft-account-app-passwords-two-step-verification

 

I don't mind a straight answer because I can make a decision, but endless trolling of documentation that never really gets to the point is frustrating. 

 

I'll live with the app password requirement for now.

 

Thanks.

Highlighted

Here is an official Microsoft document stating the need for an App Password in Outlook 2016 for Outlook.com accounts with 2FA: https://support.office.com/en-us/article/i-can-t-see-my-outlook-com-email-in-outlook-2016-or-outlook...

Look for: "Important: If you're prompted to enter your credentials repeatedly, two-step verification might be turned on for your Outlook.com account. To fix this issue, you'll need to create an App Password to add the account in Outlook."

Highlighted
Yes, thank you Salvatore. That is a document that alludes to the need for app passwords with Outlook.com accounts. It's a bit of buried article, IMO, since it's stuck in a troubleshooting document with a very specific title, but it does call out app passwords directly none-the-less.

I wish that the top level documents would do the same. Of course, this may all be a moot point once Outlook.com and Outlook 2016 are wired to handle each other's form of modern auth.

Just so I'm clear here. I don't even like this Outlook.com / Outlook 2016 solution. I try to guide my users towards using the browser, but for some, Outlook runs deep.

Thanks again.
Highlighted

Yes I have created an app password and submitted that to outlook and it works. BUT outlook still asks for a password every few days (no not all the time, very random), I just hit the x to shut the dialog box and outlook continues to work.  Very very annoying though, and should be easily fixed by Microsoft.  

At present I am very reluctant to recommend MFA to clients based on my experience with outlook - works ok in all other areas.

Highlighted

Such behavior could be not MFA related at all...

Usually, I see Outlook asking randomly for passwords in case of connectivity problems.

Also, have you tried to create a new profile? And what about a different machine: does it happen anyway?

Highlighted

Thank you Salvatore, I think you might be right.  I ran the Microsoft Support and Recovery Assistant for Office 365 again and it appears to have fixed it - for the moment anyway.  It has been a bit random so will wait before claiming total success but here is hoping. 

Highlighted

@Howard Randall @Salvatore Biscari 

 

I'm under the impression that App Passwords completely bypass all MFA; so users who store their App Passwords on paper or digitally are adding a backdoor into their MFA protected environments.  I believe SharePoint Online and OneDrive for business have options to prevent access to users using App Passwords, but I believe Exchange Online has no such option.  So, a mal-user who obtains a compromised App Password can get to your entire (otherwise MFA protected) Exchange mailbox by using Outlook for the PC.