Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 2 Contributor

MFA for CSP

Hi,

 

I received an e-mail a few days ago requesting me to activate MFA for me as a CSP and all my tenants and users.

 

I don't want my customers to sign up for Azure AD premium, not for that reason. I prefer implemeting the free solution called "baseline protection policies".

 

First of all, I did it for me only for testing. I enabled all the 4 policies but I ran into trouble with Outlook for Windows after that.

 

On my smartphone (Outlook) or on the web (portal), I received a code by SMS just after trying to sign in. But on Outlook for Windows it requested my password again and again without saying me "we have sent you a code to your phone number XXXX". Si impossible to receive my e-mails. Precision : Microsoft Office is up-to-date.

 

Then I tried to delete my Outlook profile and set it up again. Trouble again : autodiscover doesn't work anymore !

 

After desactivating all 4 policies everything was working well again : mail, autodiscover, etc.

 

So yes it's not a problem to enable MFA but if me or my customers cannot get access to their mails, contacts and calendars after that this is a big problem.

 

Have you also experienced the same thing ?

 

Regards,

 

Sebastien

 

 

1 ACCEPTED SOLUTION
Level 2 Contributor

Hi 

 

 

 

 

 

 

 

 

 

View solution in original post

5 REPLIES 5
Level 2 Contributor

I know you said Outlook was up to date, but what actual version of Outlook are you running? If it's based on 2016, you should be fine, but if it's 2013 you need to enable Modern Auth, or use an app password.

 

I would also ensure that you have Modern Auth enabled in both your Exchange Online and Skype Online (if you use it) tenants. I would think so since your phone app seemed to work ok, but for a long time modern auth was off by default for Exchange and Skype, but on for SharePoint.

 

One last thing, if both of those things look good, we've had a few very rare instances where the Outlook app on a Windows desktop goes into an authenttication loop, and the only thing that fixes it is to go into Credential Manager and delete all Office/O365 related items being stored. Then re-start Outlook, and it prompts once for a password, and then triggers the MFA code as expected.

Level 2 Contributor

Hi kcears and thank you for your reply.

 

I'm using the latest version downloaded from the portal, in the apps list (appwiz.cpl) it says "Microsoft Office 365 ProPlus".

 

At the first try, I enforced all the four rules. Now I'm running with just one rule for the admins (which I'm part of). It works but it takes a long long time for Outlook to load my profile (several minutes where it took seconds before). When trying autodiscover from Microsoft Outlook (right-click on the tray icon) it's now working.

 

Some of my Exchange Online customers are using old versions of Outllok (2007 or 2010). What will be the impact for them ? Do I need to enforce all four rules or just the first two are enough (admins and users) ?

 

Thanks a lot,


Sebastien

 

 

Level 2 Contributor

It took so long to launch Outlook that I decided to delete my profile and to start over again.

 

Outlook asks me for my e-mail address, then I see a prompt for the password (login, password, and remember password checkbox). Nothing about asking me a double factor authentication (modern auth), it just says "something went wrong would you like to configure your account manually".

 

When I disable the "admins rule" it works again perfectly. From my point of view, Microsoft asks us to enforce these rules but it is not ready for production !

 

That's a big problem for two reasons :

  • I won't be able to transact on CSP website without MFA, Microsoft says
  • Will I get those kind of problems with my tenants ? What will they say if they do not receive their emails anymore ?

As a CSP I'm not very happy to be forced to do something that will crash my customers's mail system.

 

Regards,

 

Sebastien

 

 

 

Microsoft

@sebmaj : Generally there is no requirement to enforce MFA on each of your customers tenant, the MFA requirement is mandatory only for the Partner tenant. 

 

The problem you are facing sounds a bit like modern authentication was disabled in outlook. If this has been done, there will be no MFA prompt.

While you can always contact Outlook app support if you experience ongoing problems, there are a few things you might try first:

 

This documentation explains on how to enable modern authentication in the service:

 
If this does not change anything, I have heard from Partners that this registry key helped resolving similar issues - I would  still recommend to contact support to check if the recommend applying this:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
DisableADALatopWAMOverride 
dword value 1
 
If for other reasons you can not use modern authentication for Outlook, you can create app passwords for the outlook app also (This requires that MFA is enabled for the given user account, the option to create app passwords does not appear when using only Conditional access or baseline policies:
 
Kind regards,
Janosch
Level 2 Contributor

Hi 

 

 

 

 

 

 

 

 

 

View solution in original post