MFA not working in Outlook 2019 – Exchange Online

Scenario:-

Microsoft 365 tenant, mainly using Exchange Online (Plan 1) licenses. I enabled MFA for a couple of users which works fine logging in to https://office.com

Users can access Outlook on the web without any problems and get notifications sent to the “Microsoft Authenticator” app to approve or SMS if they choose one of the other authentication options.

When it comes to Outlook 2019 they just repeatedly get asked for their email credentials in a standard type popup box as opposed to the newer MFA style popup that you see like when you login to https://office.com where it asks for email, then password, then MFA option.

I know this type of problems exists with older versions of Outlook 2013 and lower and there are workarounds for it but this is Office 2019!

Solution:-

After raising a support ticket with Microsoft and getting a call back pretty much straight away from a very knowledgeable “Support Ambassador” we managed to sort the problem. Turns out that if your tenant was created before 2017 (ours was 2014) then the default policies in place for the basic Azure type licenses that come with the lower tiered licenses like Exchange Online might not work very well when enabling MFA on a user account! Tenants created later than 2017 tend to work just fine.

Here’s what we did…

  1. Run PowerShell as admin
  2. Connect to Exchange Online (If user has MFA enabled) using the following steps:-
    $MFA = New-Object -ComObject InternetExplorer.Application -Property @{Navigate2="https://cmdletpswmodule.blob.core.windows.net/exopsmodule/Microsoft.Online.CSE.PSModule.Client.application"}

    The command above installs a module which then launches another PowerShell window.

  3. In the newly opened window enter the following:-
    Connect-EXOPSSession

    Enter your tenant administrator login information.

  4. Enter the following command:-
    Set-OrganizationConfig -OAuth2ClientProfileEnabled $true 

This pretty much enables the use of MFA now for your Exchange Online tenant. It can take a few hours for things to propagate and for Outlook 2019 to make use of this. If you need to speed this process up you can add the following registry key to the users computer. Make sure to close Outlook first.

  • HKEY_CURRENT_USER\Software\Microsoft\Exchange
  • On the Edit menu, point to New, and then click DWORD Value.
  • Type AlwaysUseMSOAuthForAutoDiscover, and then press Enter.
  • Right-click AlwaysUseMSOAuthForAutoDiscover, and then click Modify.
  • In the Value data box, type 1, and then click OK.
  • Exit Registry Editor.

Open Outlook and you should now get the MFA type prompt as you would expect. I think if you continue to have problems then it’s worth deleting the Outlook profile on the computer and starting again.

The following article may also be of use as it goes into a lot more detail about how to enable or disable modern authentication for Outlook in Exchange Online https://docs.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online

One last thing… enabling modern authentication for Outlook in Exchange Online wont affect any of your other users who may not have MFA setup.

Hopefully this may help someone somewhere one day!

Enable or Disable write protection to a USB drive

PROBLEM: I need to stop users saving data to a bitlocker usb flash drive that they use to unlock their laptop.

SOLUTION: Use the DiskPart command line utility to enable read only access to the USB flash drive in question.

STEPS:-

  1. Press the Windows key + R to open the run box.
  2. Type diskpart and press enter.
  3. If you receive a UAC prompt asking for permission click Yes.
  4. At the DISKPART > prompt type list disk and press enter.
  5. Figure out which is your USB disk based on the size (mine was disk 1) so I typed select disk 1 and pressed enter.
  6. You can check the attributes for the disk by typing attributes disk.
  7. To enable disk write protection (making it not possible to save files to the disk) use the command attributes disk set readonly and press enter.
  8. You’re done! Type exit to quit.
  9. If you ever wanted to revert back and disable write protection then use the command attributes disk clear readonly and press enter.

DiskPart

Please note that the above method will only enable write protection for that particular usb flash drive on that specific windows machine. If you were to put the same usb flash drive in a different machine you can still write files to it.

How to add Azure Active Directory user to local administrator group

Windows 10 allows you to join your computer to the Azure Active Directory and login with your cloud credentials. The first account that joins the AAD becomes a local administrator. Subsequent users are not.

To add additional azure accounts as local admins you need to do the following…

  1. Open a command prompt with Administrator proviledges
  2. Enter the following command…
net localgroup administrators /add "AzureAD\<users office 365 email address>"

You should see “The command completed successfully”, now go check it worked by going into computer management > Local Users and Groups > Groups > Administrators and check to see if the user is listed.

Outlook keeps asking for password… Using Office 365 but on-premise exchange?

Starting in Outlook 2016 version 16.0.6741.2017, Microsoft has enabled a new feature called Direct Connect to Office 365. What this feature does is connect Outlook directly to Office 365 if Autodiscover is not working. This is great feature but a network hiccup may cause your mailbox to connect to Office 365 rather than your on premise Exchange, even with a valid autodiscover record.

For Direct Connect to take effect the user must have an active mailbox on Office 365 with a valid license. Typically Direct Connect would be a neat feature unles you are in the middle of a migration to 365, but a network hiccup could incorrectly connect you to 365 even though you havent completed your migration yet.

During 365 migrations deom Hosted Exchange or On-Premise, we recommend disabling this option from the user computer registry:

You can stop Outlook from checking Office 365 for settings by setting a registry key.

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover
DWORD: ExcludeExplicitO365Endpoint
Value = 1

Then restart your computer and it should stop trying to connect to Office 365. When you are ready to flip the switch on your migration, remove this registry key.

Heres a great article describing the whole thing in more detail…
https://www.enowsoftware.com/solutions-engine/autodiscover-dilemma

Azure Active Directory Sync Export Fails with permission-issue

While working on an Azure ADConnect deployment we had a few users with export errors. The users seemed to sync into the cloud so I was not fully aware of what the export error actually affected but… it was still there..

Anyway I found the following article that explains why you get the error and how to fix it. Its basically down to the security settings of the users profile in AD. Basically, enabling the inheritance solved the issue and the ADConnect was able to export these identities.

User > Properties > Security > Advanced > Enable Inheritance

https://evotec.xyz/azure-ad-connect-completed-export-errors-permission-issue/

Move a SSL certificate from Microsoft IIS 8 to Apache

To move a SSL certificate from Microsoft IIS 8 to Apache, the certificate must be converted from a PKCS#12 (.p12 or .pfx) to two separate files (private and public key).

Step 1: Export certificate in IIS 8

  1. From the web server, click Start
  2. In the Search programs and files field, type manage computer certificates
  3. From the search suggestions list, click Manage computer certificates
  4. At the permission prompt, click Yes
  5. Double click on the Personal folder, and then on Certificates.
  6. Right Click on the Certificate you would like to backup and choose > All Tasks > Export
  7. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
  8. Choose to ‘Yes, export the private key
  9. Choose to “Include all certificates in certificate path if possible.” (do NOT select the delete Private Key option)
  10. Enter a password you will remember
  11. Choose to save file on a set location
  12. Click Finish
  13. You will receive a message > “The export was successful.” > Click OK
  14. The .pfx file backup is now saved in the location you selected.

Step 2:  Convert PFX file to compatible files for Apache

Move the .pfx file to the Apache server.

To extract the private key, run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx  -nocerts -out key.pem

To extract the certificate (public key), run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out cert.pem