none
MFA Server (on-prem) and Outlook prompts Credentials

    Question

  • Hi Team,

    Recently we configured the MFA Server with ADFS, when we release the service the outlook client started to prompt credentials to all users, we removed all users from MFA Authentication in the ADFS console and only leave some users, but the problem persits. We have many mailbox in O365 but we have mailbox in Exchange on-prem. We do not know why MFA generates this behavior.

    If you have any suggestion is good for us.

    Regards. 


    MCP-ASP.NET With C#, MCTS SQLServer 2005 I&M

    Tuesday, January 30, 2018 5:22 PM

Answers

  • Hi Team

    I fix my Issue, only enabled the OAuth2ClientProfileEnabled in Exchange Online.

    • Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

    Thanks for your time.

    Regards.


    MCP-ASP.NET With C#, MCTS SQLServer 2005 I&M

    • Marked as answer by Daniel Mendoza Tuesday, February 6, 2018 7:35 AM
    Tuesday, February 6, 2018 7:35 AM

All replies

  • Hi Daniel,
    You get a different subset of capabilities depending on whether you have a cloud-only deployment for Office 365 or a hybrid set up with single sign-on and Active Directory Federation Services (AD FS).

    If you have Hybrid setup, managed on-premises and you manage user identity on-premises, you have the following choices:

    • Physical or virtual smart card (AD FS)
    • Azure MFA (module for AD FS)
    • Azure AD MFA

    Please refer to this Microsoft document for more details - Plan for multi-factor authentication for Office 365 Deployments

    Also take a read at this Microsoft Document to ensure you have followed all necessary steps of MFA setup for office 365 based on Outlook version - Set up multi-factor authentication for Office 365 users
    Further, I found this related thread in case you are hitting this issue - Outlook 2016 keep asking for credentials


    Tuesday, January 30, 2018 9:42 PM
    Moderator
  • What was your expected behavior? Sounds like your have enabled MFA on O365 RP level. All Azure traffic will thought this RP since it is a federated domain. Uses will get 2nd prompt for all Azure related traffic.   On-perm EX, assuming o365 is accepting all emails. Then it is expected.  

    Santhosh Sivarajan | Houston, TX | www.sivarajan.com
    ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA

    My Books: | Windows Server Security | Windows Server 2012

    Blogs | Twitter | LinkedIn | Facebook|

    This posting is provided AS IS with no warranties, and confers no rights.

    Wednesday, January 31, 2018 7:11 PM
  • Hi Team,

    Sorry for my late response, but I did a test in my environment, the behavior is the same, when I filter users in ADFS to apply only mfa authentication for these users, in the Outlook application credentials are automatically requested for all users of the organization this only happens in Outlook. If a user logs in to the O365 portal, the MFA is applied and the access is correct.  But for users does not have MFA the outlook always asks for the credentials.

    I read about this behavior and a possible solution is to enable Modern Auth in Exchange Online, but I do not know if it is correct, the environment is productive so the changes must be made with care.

    Regards


    MCP-ASP.NET With C#, MCTS SQLServer 2005 I&M

    Friday, February 2, 2018 10:23 AM
  • Hi Team

    I fix my Issue, only enabled the OAuth2ClientProfileEnabled in Exchange Online.

    • Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

    Thanks for your time.

    Regards.


    MCP-ASP.NET With C#, MCTS SQLServer 2005 I&M

    • Marked as answer by Daniel Mendoza Tuesday, February 6, 2018 7:35 AM
    Tuesday, February 6, 2018 7:35 AM
  • Thanks for updating on the solution.
    Friday, February 9, 2018 10:53 PM
    Moderator