Office 365 – MFA with Outlook and/or iOS Mail not working?
Multi-factor Authentication (or MFA) in Office 365 is an incredibly great way to protect your company’s data, however setting it up can be a pain, especially with various applications and systems. When I first set up MFA in Office 365, I was convinced you were required to use App Passwords for Outlook 2016 and iOS Mail. However, after a good bit of research, fiddling, and experimenting, I discovered the solution was much, much easier than I realized.
So here is a (brief) overview of how to set up MFA in Office 365, and have it work in Outlook and iOS Mail. [Note: this is written assuming you are using iOS 11 or later, where OAuth 2.0 is fully implemented.]
Fire Up PowerShell
The only way to have Outlook 2016 and iOS Mail work with Office 365 MFA is to enable OAuth 2.0 in your tenant. Though documentation is sketchy, is appears that all newly created tenants in 2018 have OAuth 2.0 enabled by default. However, it cannot hurt to check.
- Log into your client via PowerShell:
Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session- Then, confirm whether or not OAuth 2.0 is enabled:
Get-OrganizationConfig | ft -Property *OAuth2ClientProfileEnabled*- If it shows as false, simply type:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $trueThis will take a few minutes to fully propagate through your tenant. However, once this is done, you will be able to turn on MFA for your users, and they will be using the standard OAuth 2.0 to set up MFA, instead of App Passwords.
But what if I have users already set up?
OAuth 2.0 is the default method to connect via MFA for Outlook 2016. Thus, once it propagates out, once a user closes and reopens Outlook, it should prompt them for the MFA credentials.
For iOS on the other hand, it is not as clean. As of iOS 12, the easiest method to force it to use OAuth 2.0 instead of an App Password is to delete and re-add the Exchange account.
Hi, I just want to say that this post saved my life during a deployment and hours and hours of troubleshooting and headache.
An outstanding share! I’ve just forwarded this onto a co-worker who has been conducting a little homework on this. And he actually bought me dinner because I stumbled upon it for him… lol. So let me reword this…. Thanks for the meal!! But yeah, thanx for spending time to talk about this issue here on your web site.
I just went through this process and it also seemed to me we would need to use the App, which is not the case.
Also, my Outlook client kept “Not Responding” until I ran your commands above.
So, thank you.
I can see how this simplifies setup – thanks for the tip.
Thanks for the information! This set me on the proper path for resolution but did not work for me as described. My problem is that with MFA enabled I was not able to connect using powershell. I needed to log into Office365, go to Exchange Admin, Hybrid (navigation on left), configure multi-factor authentication. This needs to be done with IE, edge did not work. It runs some code and opens powershell. Ran Connect-EXOPSSession -UserPrincipalName and then used Set-OrganizationConfig -OAuth2ClientProfileEnabled $true. Your article was a great help. Thanks!
So MFA has caused some issues in the past with MFA and powershell. Typically having Chrome or Firefox as your default helps. Lemme guess…you would get an odd blank rectangle pop up when using Powershell, it would disappear, and then get an error?
Glad the article helped though!
I’ve tried these steps but still doesn’t work. I’ve spend so much time trying to resolve this but no luck. We’ve setup MFA for all users however when trying to setup an account, it just prompts for password over and over again. Granted, we manage our devices with inTune so it automatically reroutes the setup to login to intune. Any suggestions?
Unfortunately my experience with InTune is extremely limited, but it sounds as if the InTune is set to act as a proxy for the logins. I’m curious, have you attempted to set up a non-corporate iPhone and iOS to use Exchange?