Mis-behaving Office 365 MFA and app passwords


TL;DR

If you have Office365 MFA enabled and Outlook constantly prompts you for a password for your Office365 account, you may need to enable Modern Authentication in your Office365 tenant.

Introduction

I’ve been using Office 365 for a long time and like a good citizen have MFA enabled for my account (in fact I have MFA enabled for everything that I can). MFA works great most of the time however it is a pain when it comes to applications that need to access your account which cannot perform the MFA dance.

When it comes to Office 365, the most common of these is Outlook, the typical work around for Outlook is to use an app password - essentially a generated password that can be used by the application to by-pass the MFA requirement. App passwords are a cludge - they are usually quite short and not very secure compared to a long password.

Recently Outlook on my Windows machines stopped working correctly, it would constantly prompt for a password and wouldn’t accept my app passwords or my actual password. After numerous attempts to fix the issue, including, removing all the email accounts and trying to use the Support and Recovery Assistant for Office 365, eventually I stumbled across a solution that worked for me (as always your mileage may vary!).

My setup

  • Office 365 E3 subscription
  • Latest Office applications installed on Windows 10 (1903)
  • Office MFA enabled and configured (enforced) for my account
  • Admin rights to my O365 tenant

Steps

  1. Remove any Outlook saved credentials using the Windows Credential Manager Click start and type in credential and open Credential Manager and select Windows Credentials credential manager

  2. Remove any credentials associated with Office and your O365 account (Look for anything starting with MicrosoftOffice16...) - ensure you don’t remove credentials for accounts other than the problematic account.

  3. Go to your security profile and delete any previously created app passwords for Outlook. See instructions here for more details.

  4. This was the important step, you need to ensure Modern Authentication is enabled for your Office 365 tenant. Sign into your Office 365 Admin Center https://admin.microsoft.com using your O365 account (you will need admin permissions). From the navigation menu select Settings > Services & add-ins From the list select ‎Modern authentication‎ and enable the option. modern authentication setting

  5. Open Outlook and you should be prompted for your password for the relevant Office365 account - use your actual password (and follow any subsequent prompts). If you have multiple accounts in Outlook ensure you try opening the inbox for the problematic account to cause the password prompt.

  6. If you are still getting password prompts try removing the O365 account and re-adding it.

Things to note

This “fix” may cause problems with older email clients so use at your own risk.

I have several Windows 10 PCs and an Android phone all of which are now working correctly once I enabled the Modern authentication option.

Back to home