We had an Australian client who upgarded from M365 business standard to M365 E5 license, and we have also activated multi-factor authentication for all the users in the tenants. All are working as expected without issues, until we need to setup Windows device for new employee. We cannot setup Outlook 365 for their MFA enabled user account, a “Something went wrong and Outlook couldn’t set up your account” error comes up without even asking for password. We scratched our head for so long and then decided to turn off MFA for that user, and of course, it solves the issue and the user can login as normal.
While MFA can be re-activated for the user afterward, it is a workaround, not a solution. Searching on the web and the official thread from Microsoft support forum return no good solution for the issue. Most suggest we need to turn on modern authentication – which is the case if using version of Outlook 2016 below – but we don’t think it would be an issue for Outlook 365. Some suggest the autodiscover of the domain was not set properly, but if that’s true, it won’t work even if MFA was turned off.
In summary, the 3 suggested solutions we found does not work in our case, and they are:
- Make sure you have internet connection, and you are using a public DNS such as Google DNS so the domain is resolved correctly.
- If you are using Outlook 2013 or older, you need to set registry keys to enable modern authentication.
- Make sure the DNS record for your domain are correct, especially the CNAME record for autodicover.
Until one day we stumbled across the solution: enabling organisation wide setting OAuth2ClientProfileEnabled using Powershell. It a setting only accessible using PowerShell. The setting was false by default, all we need is to set it to true.
See the tutorial below to enable the settings if you face the same issue after MFA enabled.
First, Launch PowerShell as administrator
Then, run the code below
Install-Module ExchangeOnlineManagement Import-Module ExchangeOnlineManagement Connect-ExchangeOnline Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true
Install “ExchangeOnlineManagement” PowerShell Module, which provides a set of function to connect to the tenancy and to set the Exchange Online settings. If ever asked to trust the repository, Press [Y]. A login prompt will display once the “Connect-ExchangeOnline” is executed. Log into an account with Global or Exchange Adminstration Priviliege. the last command will enable the OAuth2ClientProfileEnabled settings, which the Outlook client can use to carry out MFA authentication.
If you ever need assistance with deployment or management of M365 products, Concentric Digital is Microsoft Certified Partner, Microsoft 365 Cloud Service Provider (CSP) and Authorized Surface Device Reseller. We can help your business to adapt to Microsoft Cloud, and improve the productivity of your organisation. From Microsoft Sruface and M365 deployment to mobile device management (MDM), our deployment services ensure the devices will be delivered with only the build and software your workers need and nothing they don’t , and devices are built in accordance with your security policies and industry best practices. Interested? Contact Concentric Digital for obligation free consultation.
Face the same Outlook 365 authetication issue with MFA enabled, but has another solution instead? Let us know by leaving us a comment.