I had a really thorny problem recently with a client who responded to a phishing email and their account was compromised.
As part of reviewing their account security, I enabled Multi-factor Authentication.
Everything went well signing back into the account, except for on one device. Outlook on the user’s primary workstation.
For some reason, no matter what I tried, Outlook kept trying to sign in with legacy authentication, not modern authentication. No matter how I tried to configure the account, it would eventually pop up the Windows Security dialog box, asking for a username and password - and this was the end of the line. There was absolutely nothing that I could enter into this dialog box that would work. Not even an app-specific password.
I tried everything - creating a new profile in Outlook, even creating a totally new user account on the computer. Nothing worked.
I eventually found a forum post with what I think was the solution.
I had to update the tenancy settings via PowerShell, but in a cruel twist of fate, for some reason the Global Admin account had MFA turned on via SMS that I couldn’t disable.
This required me to download the Microsoft Exchange Online Remote Powershell Module, which I could get via logging into the Exchange Admin Console for Office 365 and going to hybrid > setup and clicking the Configure button to download the module. Oh, this first required setting a hidden preference in the Chromium version of Microsoft Edge as well, just because, well why not at this stage?
After installing the module, I could log into PowerShell, and connect to Exchange Online with modern auth.
Then, it was a matter of running this one-liner:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
To check that this command worked:
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
I also, prior to this PowerShell tweak, set a registry key that may or may not have helped in the end, although it didn’t help at the time.
HKCU\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover DWORD 1
Basically after configuring that setting via PowerShell, Outlook was able to add the account straight away. That’s 3 hours of my life that I’ll never get back, hopefully this can save you from the same fate.
If you’re cleaning up a compromised account or trying to tighten MFA and modern auth across Microsoft 365, our cybersecurity support for SMBs covers this kind of practical hardening work.