Our thinking

Outlook unable to sign in to Office 365 email account after MFA Enabled.

I had a really thorny problem recently with a client who responded to a phishing email and their account was compromised.

As part of reviewing their account security, I enabled Multi-factor Authentication.

Everything went well signing back into the account, except for on one device. Outlook on the user’s primary workstation.

For some reason, no matter what I tried, Outlook kept trying to sign in with legacy authentication, not modern authentication. No matter how I tried to configure the account, it would eventually pop up the Windows Security dialog box, asking for a username and password – and this was the end of the line. There was absolutely nothing that I could enter into this dialog box that would work. Not even an app-specific password.

I tried everything – creating a new profile in Outlook, even creating a totally new user account on the computer. Nothing worked.

I eventually found a forum post with what I think was the solution.

I had to update the tenancy settings via PowerShell, but in a cruel twist of fate, for some reason the Global Admin account had MFA turned on via SMS that I couldn’t disable.

This required me to download the Microsoft Exchange Online Remote Powershell Module, which I could get via logging into the Exchange Admin Console for Office 365 and going to hybrid > setup and clicking the Configure button to download the module. Oh, this first required setting a hidden preference in the Chromium version of Microsoft Edge as well, just because, well why not at this stage?

After installing the module, I could log into PowerShell, and connect to Exchange Online with modern auth.

Then, it was a matter of running this one-liner:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

To check that this command worked:

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

I also, prior to this PowerShell tweak, set a registry key that may or may not have helped in the end, although it didn’t help at the time.

HKCU\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover DWORD 1

Basically after configuring that setting via PowerShell, Outlook was able to add the account straight away. That’s 3 hours of my life that I’ll never get back, hopefully this can save you from the same fate.

Leave a Reply