Microsoft 365, Outlook, & MFA

July 12, 2020

When you enable multifactor authentication in Microsoft 365 (formerly Office 365) with an existing tenant, Outlook starts asking for a password and will not accept your current Microsoft 365 password.  You then need to use app passwords for Outlook, rather than standard MFA with your password and a second option such as the Microsoft Authentication app, Txt, E-mail, or call.  Those options work fine with access to Web and other Office Apps but not Outlook. See the following link to manage App Passwords; https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords#:~:text=To%20create%20app%20passwords%20using%20the%20Office%20365,password%2C%20and%20then%20select%20Next.%20More%20items…%20

You can however enable standard MFA methods for Outlook using powershell.  The credit for most of the instructions below goes to; https://www.petri.com/enable-modern-authentication-exchange-online

Instructions to enable MFA with Exchange On-line (paraphrased)

When asked for credentials, you need to use an O365 admin account that does not have MFA enabled.  I create one without an Office license just for this.

I use the PowerShell ISE but I suspect standard PowerShell run as admin will work as well

Connect to an Exchange PowerShell session by running the following 2 lines

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

This is not in the Petri link above, but you need to run the following line to allow running scripts

Set-ExecutionPolicy RemoteSigned

Test if MFA is already enabled.  Will return “false” if not enabled

Get-OrganizationConfig | ft name, *OAuth*

Assuming not enabled run

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

Then run the following again to confirm now enabled, i.e. “True”

Get-OrganizationConfig | ft name, *OAuth*

Close session

Remove-PSSession $Session

I find it takes 30-60 minutes before the policy is applied and changes in use

Advertisement

Category:

E-mail, Exchange, MFA, Office, Outlook, PowerShell, Uncategorized

Leave a comment

Tagged with:

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Tag Cloud

%d bloggers like this: