Multi-factor Authentication (or MFA) in Office 365 is an incredibly great way to protect your company’s data, however setting it up can be a pain, especially with various applications and systems. When I first set up MFA in Office 365, I was convinced you were required to use App Passwords for Outlook 2016 and iOS Mail. However, after a good bit of research, fiddling, and experimenting, I discovered the solution was much, much easier than I realized.
So here is a (brief) overview of how to set up MFA in Office 365, and have it work in Outlook and iOS Mail. [Note: this is written assuming you are using iOS 11 or later, where OAuth 2.0 is fully implemented.]
Fire Up PowerShell
The only way to have Outlook 2016 and iOS Mail work with Office 365 MFA is to enable OAuth 2.0 in your tenant. Though documentation is sketchy, is appears that all newly created tenants in 2018 have OAuth 2.0 enabled by default. However, it cannot hurt to check.
- Log into your client via PowerShell:
Set-ExecutionPolicy RemoteSigned $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session
- Then, confirm whether or not OAuth 2.0 is enabled:
Get-OrganizationConfig | ft -Property *OAuth2ClientProfileEnabled*
- If it shows as false, simply type:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
This will take a few minutes to fully propagate through your tenant. However, once this is done, you will be able to turn on MFA for your users, and they will be using the standard OAuth 2.0 to set up MFA, instead of App Passwords.
But what if I have users already set up?
OAuth 2.0 is the default method to connect via MFA for Outlook 2016. Thus, once it propagates out, once a user closes and reopens Outlook, it should prompt them for the MFA credentials.
For iOS on the other hand, it is not as clean. As of iOS 12, the easiest method to force it to use OAuth 2.0 instead of an App Password is to delete and re-add the Exchange account.