Scenario:-
Microsoft 365 tenant, mainly using Exchange Online (Plan 1) licenses. I enabled MFA for a couple of users which works fine logging in to https://office.com
Users can access Outlook on the web without any problems and get notifications sent to the “Microsoft Authenticator” app to approve or SMS if they choose one of the other authentication options.
When it comes to Outlook 2019 they just repeatedly get asked for their email credentials in a standard type popup box as opposed to the newer MFA style popup that you see like when you login to https://office.com where it asks for email, then password, then MFA option.
I know this type of problems exists with older versions of Outlook 2013 and lower and there are workarounds for it but this is Office 2019!
Solution:-
After raising a support ticket with Microsoft and getting a call back pretty much straight away from a very knowledgeable “Support Ambassador” we managed to sort the problem. Turns out that if your tenant was created before 2017 (ours was 2014) then the default policies in place for the basic Azure type licenses that come with the lower tiered licenses like Exchange Online might not work very well when enabling MFA on a user account! Tenants created later than 2017 tend to work just fine.
Here’s what we did…
- Run PowerShell as admin
- Connect to Exchange Online (If user has MFA enabled) using the following steps:-
$MFA = New-Object -ComObject InternetExplorer.Application -Property @{Navigate2="https://cmdletpswmodule.blob.core.windows.net/exopsmodule/Microsoft.Online.CSE.PSModule.Client.application"}
The command above installs a module which then launches another PowerShell window.
- In the newly opened window enter the following:-
Connect-EXOPSSession
Enter your tenant administrator login information.
- Enter the following command:-
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
This pretty much enables the use of MFA now for your Exchange Online tenant. It can take a few hours for things to propagate and for Outlook 2019 to make use of this. If you need to speed this process up you can add the following registry key to the users computer. Make sure to close Outlook first.
- HKEY_CURRENT_USER\Software\Microsoft\Exchange
- On the Edit menu, point to New, and then click DWORD Value.
- Type AlwaysUseMSOAuthForAutoDiscover, and then press Enter.
- Right-click AlwaysUseMSOAuthForAutoDiscover, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Exit Registry Editor.
Open Outlook and you should now get the MFA type prompt as you would expect. I think if you continue to have problems then it’s worth deleting the Outlook profile on the computer and starting again.
The following article may also be of use as it goes into a lot more detail about how to enable or disable modern authentication for Outlook in Exchange Online https://docs.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online
One last thing… enabling modern authentication for Outlook in Exchange Online wont affect any of your other users who may not have MFA setup.
Hopefully this may help someone somewhere one day!