locked
Outlook 365/2016 for Office 365 accounts with 2FA enabled. Some tenants need to use App Passswords, others don't. Why is this? RRS feed

  • Question

  • Hello all,

    We have an odd issue where once we enable 2FA for users in an Office 365 tenant, for some tenants, when they open Outlook after enabling 2FA, they put in their password and Outlook then prompts for the 2FA code. It works perfect.

    For other tenants though, Outlook never prompts for the 2FA part. They just get the password prompt over and over again and we have to explain to them about how to generate and use an app password to get outlook to connect.

    Why is this?

    We would prefer if all tenants didn't need to use app passwords as it's easier for them.

    Thank you


    • Edited by technet usr Friday, August 10, 2018 10:06 AM
    Friday, August 10, 2018 10:05 AM

Answers

  • Hi,

    Thanks for the suggestion. We have tried a few steps like this and deleted/recreated the profile. The Outlook 2016/365 users don't get prompted for a server name etc and autodiscover takes care of everything.

    Setting up a new profile actually has the same behaviour. Some tenants can enter standard password and get prompted for the 2FA to set up the profile but others have to enter the app password to set up the new profile.

    Just to add, it seems that only newer tenants (created this year) have the smooth 2FA prompt but older tenants (created several years ago) are the ones that have the app password requirement. That could be a co-incidence though I do remember reading something about "modern authentication" being turned on for new tenants so this could be related?


    It would be enabled for all users in the tenant 

    Check  with Exch Online Powershell. should be set to true

    Get-OrganizationConfig |FL OAuth2ClientProfileEnabled

    • Marked as answer by technet usr Friday, August 10, 2018 4:50 PM
    Friday, August 10, 2018 11:42 AM

All replies

  • Hello all,

    We have an odd issue where once we enable 2FA for users in an Office 365 tenant, for some tenants, when they open Outlook after enabling 2FA, they put in their password and Outlook then prompts for the 2FA code. It works perfect.

    For other tenants though, Outlook never prompts for the 2FA part. They just get the password prompt over and over again and we have to explain to them about how to generate and use an app password to get outlook to connect.

    Why is this?

    We would prefer if all tenants didn't need to use app passwords as it's easier for them.

    Thank you


    JUst a guess, but it could be they are using ActiveSync to connect to Office 365 and not the standard MAPI/HTTPs. Try creating a new profile and letting it setup things automatically and see if that works
    Friday, August 10, 2018 11:09 AM
  • Hi,

    Thanks for the suggestion. We have tried a few steps like this and deleted/recreated the profile. The Outlook 2016/365 users don't get prompted for a server name etc and autodiscover takes care of everything.

    Setting up a new profile actually has the same behaviour. Some tenants can enter standard password and get prompted for the 2FA to set up the profile but others have to enter the app password to set up the new profile.

    Just to add, it seems that only newer tenants (created this year) have the smooth 2FA prompt but older tenants (created several years ago) are the ones that have the app password requirement. That could be a co-incidence though I do remember reading something about "modern authentication" being turned on for new tenants so this could be related?


    • Edited by technet usr Friday, August 10, 2018 11:24 AM
    Friday, August 10, 2018 11:22 AM
  • Hi,

    Thanks for the suggestion. We have tried a few steps like this and deleted/recreated the profile. The Outlook 2016/365 users don't get prompted for a server name etc and autodiscover takes care of everything.

    Setting up a new profile actually has the same behaviour. Some tenants can enter standard password and get prompted for the 2FA to set up the profile but others have to enter the app password to set up the new profile.

    Just to add, it seems that only newer tenants (created this year) have the smooth 2FA prompt but older tenants (created several years ago) are the ones that have the app password requirement. That could be a co-incidence though I do remember reading something about "modern authentication" being turned on for new tenants so this could be related?


    It would be enabled for all users in the tenant 

    Check  with Exch Online Powershell. should be set to true

    Get-OrganizationConfig |FL OAuth2ClientProfileEnabled

    • Marked as answer by technet usr Friday, August 10, 2018 4:50 PM
    Friday, August 10, 2018 11:42 AM
  • Yes that was it. OAuth2ClientProfileEnabled needed to be set to true.
    Friday, August 10, 2018 4:49 PM
  • Follow on from enabling modern authentication we are seeing that users are prompted for "Allow my organisation to manage my device " when they log in to Outlook for the first time. See attached screenshot.

    Allow my organisation to manage my device

    Use this account everywhere on you device

    Allow my organisation to manage my device (check box beside it)

    Link for "This app only"

    Yes button.

    We are asking users to click Yes and leave the "Allow my organisation to manage my device" option checked (default). This adds their Office 365 account to Start - Settings - Accounts in Windows 10.

    Is this correct or should we clear the "Allow my organisation to manage my device" option before clicking yes?

    The problem is some users have reported an issue where after a few days Outlook stops connecting and has the "needs password" message on the bottom right. But when you click on the "needs password" message, the box outline appears in the middle of the screen where you would expect to enter your credentials but it closes immediately.

    The workaround we found is to go into Start - Settings - Accounts and remove the Office 365 account. Close and reopen outlook and it will ask for credentials again and connect.

    For some users, this keeps happening to outlook so we are disabling modern authentication for them with the EnableADAL registry key and using an App Password to connect Outlook.

    Here is the key to disable modern authentication.

    HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL dword:00000000


    Do you know is modern authentication still in "beta" as this is not looking too stable for this test group.

    Thank you

    Wednesday, August 15, 2018 9:28 AM