I recently had a major issue where a client was seeing constant password prompts when multi-factor authentication (MFA) was enabled for access to Office 365 through AD FS. This particular client was using Symantec VIP for MFA but I have had reports that other MFA solutions also cause the same issue. As you continue reading this post you will understand why.
The issue is caused by a requirement for 'Modern Authentication' to be enforced. If you use Azure MFA as your multi-factor solution, Microsoft provide a workaround for the password loop problem. Each user gets an App Password to use for any applications that do not support Modern Authentication or any applications that are not enabled for Modern Authentication. Now, not everybody likes using app passwords since they are hard to manage and will place an extra workload on your Helpdesk.
The solution is enabling Modern Authentication which is disabled by default for Exchange Online but enabled by default for SharePoint Online. Skype for Business Modern Authentication has just come out of public preview.
First of all connect your PowerShell to Exchange Online in your Office 365 tenant, then run the following command: Get-OrganizationConfig
This will present a lot of info but the part we are interested in is illustrated below:
As you can see, OAuth2ClientProfileEnabled is set to False. This means Modern Authentication is disabled for Exchange Online. Set this to True by running:
OK, now your tenant will accept Modern Authentication requests. Now we need to determine which applications will send the correct authentication.
Office 2016 defaults to Modern Authentications but falls back to Basic Authentication if Modern Authentication fails.
Office 2013 is a little bit more complicated. Office 2013 sends Basic Authentication unless the following 2 registry keys are added to the user's session. Another very important thing to bear in mind is that the minimum version of Office 2013 that supports Modern Authentication and MFA is 15.0.4701.1002 or above.
Sometimes, some users get the Modern Authentication window appear, but it is accompanied by a message advising that your administrator has disabled this feature. If this happens to you, just ensure the following 2 registry keys are also present:
When these are added, Office 365 will, by default, send a Modern Authentication request and fall back to Basic if it fails. This is a pre-requisite to get an environment like this working for Multi-Factor Authentication.
In fact, I would argue that setting this on all Office 365 tenants would be good practice unless you can think of a good reason why you do not want to enable it.