The problem

I recently had a major issue where a client was seeing constant password prompts when multi-factor authentication (MFA) was enabled for access to Office 365 with his Outlook 2016 client. This client uses 2FA of Office365.

The cause

The issue is caused by a requirement for ‘Modern Authentication’ to be enforced. If you use Azure MFA as your multi-factor solution, Microsoft provide a workaround for the password loop problem. Each user gets an App Password to use for any applications that do not support Modern Authentication or any applications that are not enabled for Modern Authentication. Now, not everybody likes using app passwords since they are hard to manage and will place an extra workload on your Helpdesk.

The solution

The solution is enabling Modern Authentication which is disabled by default for Exchange Online but enabled by default for SharePoint Online. Skype for Business Modern Authentication has just come out of public preview.

 

First of all connect your PowerShell to Exchange Online in your Office 365 tenant, then run the following command:  Get-OrganizationConfig

This will present a lot of info but the part we are interested in is illustrated below:

 

 

 

As you can see, OAuth2ClientProfileEnabled is set to False. This means Modern Authentication is disabled for Exchange Online. Set this to True by running:

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

Now you should see the following:

 

 

 

OK, now your tenant will accept Modern Authentication requests. Now we need to determine which applications will send the correct authentication. In my case Outlook 2016 now workes fine with 2FA enabled.