Resolving multifactor authentication (MFA) issues in Outlook with Microsoft 365

For businesses using Microsoft 365, implementing multi-factor authentication (MFA) with conditional access policies is one of the most effective methods to secure your users’ accounts from unauthorized access. However, you can run into a few snags, especially when logging into Outlook. 

Problem – Cannot log into Outlook after implementing MFA 

 

One observed side-effect after MFA implementation is that some users are unable to log in to Outlook, instead getting a login box such as below. The login prompt may try to log into the ‘AzureAD’ domain (which is correct), however login is unsuccessful, and no MFA prompt is offered. The user cannot log into Outlook until MFA is disabled, or Outlook is exempted from MFA, which is not ideal. 

 

 

So, what is happening? While not immediately apparent, the issue is that Outlook is using what is known as legacy authentication to log the user into an Outlook session. Legacy authentication does not support Microsoft’s MFA login redirection therefore a once-functioning user is blocked because Outlook is unable to prompt for MFA with legacy authentication, and they are simply stuck. 

 

Solution – Enforce Modern Authentication 

 

To force everyone’s Outlook clients to allow multi-factor authentication, you must enable Modern Authentication from M365’s Admin settings, and at the same time disable Legacy Authentication. This will force every user’s Outlook application to use the modern authentication login flow, which will successfully prompt for MFA. 

 

How to enforce Modern Authentication 

 

You will need M365 admin access to complete these steps: 

 

Go to your organization’s Microsoft 365 Admin center (admin.microsoft.com).  

 

From the left menu, click ‘Show All,’ then go to Settings --> Org Settings. Alternatively, you can simply type ‘modern authentication in the top search field to go straight to the settings. 

 

In Org Settings, scroll down to and click on ‘Modern Authentication.’ 

 

Select the option to ‘Turn on modern authentication for Outlook 2013 for Windows and later (recommended)’. Be aware that older Outlook clients are not supported (and to be honest, it is HIGHLY recommended to upgrade if that is the case). 

 

To force all Outlook clients to ONLY use Modern Authentication, deselect all options under ‘Allow access to basic authentication protocols.' However, you may need to monitor sign-in reports in Azure AD to make sure older applications do not require basic authentication. Regardless, disabling all basic authentication protocols will force all Outlook clients to use modern authentication for sign in. 

 

Success! Following these steps, all M365 users’ Outlook clients should now only use Modern Authentication to log into M365 mail, and multi-factor authentication prompts should work as expected.