<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008s5VjUCAUOkta Classic EngineMulti-Factor AuthenticationAnswered2023-03-03T13:18:53.000Z2023-03-01T19:00:40.000Z2023-03-03T13:18:53.000Z

ChrisF.49334 (Customer) asked a question.

March 1, 2023 at 7:00 PM
Force Office 365 Outlook app to use multifactor

I've federated our Office 365 tenant with Okta and enabled MFA for the application in Okta. Outlook on the desktop does not authenticate with MFA but shows single factor in AzureAD sign-in logs.

 

In AzureAD Modern Authentication is enabled. I disabled basic authentication for my account by running Set-CASMailbox -PopEnabled $false -ImapEnabled $false -MAPIEnabled $false

When i restart Outlook on my desktop, it redirects to Okta for MFA as it should, but Outlook never connects and stays in 'disconnected' state.

I tried setting up Conditional Access policy for my account in AzureAD and enforced MFA for Office apps but still, outlook does not connect.

The only way I can get Outlook to connect is roll back the changes with Set-CASMailbox -PopEnabled $true -ImapEnabled $true -MAPIEnabled $true on my account. Then I have to delete the profile and the account in Windows settings, re-open Outlook and sign in again.

 

Microsoft's official answer is to edit the registry for Outlook but I'm not telling my users to go edit the registry. That's just insane when Outlook 365 should already prefer MFA/modern authentication. We can't tell our users to delete their profile and make other changes to their devices, thats just bad support. Our infrastructure should work without involving our users as Jr Administrators.

 

What am I missing? Something in our AzureAD must be incorrect or disabled but I've got no help from Microsoft on this.

Any help is greatly appreciated.

  • 4 answers
  • 910 views

  • User16594883467582706479 (Customer Support Online Experience)

    Hi, @ChrisF.49334 (Customer)​ 

     

    Thank you for posting on our Community page!

     

    I have done some research and found this article that might help with your use case:

    https://help.okta.com/oie/en-us/Content/Topics/Provisioning/azure/haad-join/modify-o365-sign-on.htm

     

    Hope this helps.

     

    Thank you for reaching out to our Community and have a great day!

     

    _____________________________________________________________________________

    Community members help others by clicking Like or Select as Best on responses. Try it today.

    _____________________________________________________________________________

    Expand Post

  • ChrisF.49334 (Customer)

    Thank you for your response. I should have mentioned that we are using on prem AD as our primary IDP. Account creation starts with our Active Directory on prem and is synchronized with AzureAD. We import some security groups into Okta from our on prem AD.

     

    In the article you linked to, it sounds like authentication via WINLOGON uses legacy authentication. Is this the default for the Outlook 365 desktop app? It shouldn't be using basic authentication right?

     

    I was under the impression that Microsoft will disable basic/legacy authentication in January 2023 but its still available for us. When they eventually disable it, will Outlook stop working too? We are using modern authentication and the latest Office 365 Outlook app so I'm confused about why Outlook will not connect when i disable basic authentication.

     

    We need to get away from basic authentication and use modern authentication. So if this is the only way we can still use the Outlook desktop app why would Microsoft make such a push to remove basic authentication?

    I am confused about how this should be handled if we have to make provisions with rules to only allow basic auth in certain network zones. Eventually none of the basic authentication will be supported so it seems like a temporary fix. Did I misunderstand the plan for basic auth deprecation?

     

    I really appreciate your help with this!

    Expand Post

  • User16594883467582706479 (Customer Support Online Experience)

    Hi, @ChrisF.49334 (Customer)​ 

     

    The article states, “Therefore, we recommend minimizing the use of legacy authentication.

    This procedure involves the following tasks:

    1. Configure sign-on rules in Okta
    2. Block legacy authentication on the Microsoft side

     

    I am not up to speed with Microsoft’s deprecation schedule, I guess the best solution is to ask on their Community page.  

     

    _____________________________________________________________________________

    Community members help others by clicking Like or Select as Best on responses. Try it today.

    _____________________________________________________________________________

    Expand Post

  • ChrisF.49334 (Customer)

    I think we have a miscommunication.

     

    We intend to eliminate legacy authentication. We've configured sign-on rules and when I block legacy authentication, Outlook on the desktop does not work.

    I've also enabled Enable Azure AD to use Okta Multifactor authentication for Azure AD step-up authentication in the Office 365 sign-on rules but that has not helped either.

     

    Regardless of MS deprecation schedule, I want to remove all legacy auth from our environment but it seems I'm missing something.

     

    Thanks for reading my question and your quick response.

    Expand Post
This question is closed.
Loading
Force Office 365 Outlook app to use multifactor