Problem with outlook after mailbox move in hybrid setup

Anonymous
2022-09-14T07:22:04.707+00:00

We have an Exchange 2013 server setup in hybrid with Exchange online. We are about to move all mailboxes over but we have a problem with outlook clients after a mailbox has been moved.

Outlook keeps prompting for credentials after the mailbox move. In the Sign-in logs we see the following error:

Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

We don't have conditional access policies active but we do have the security defaults enabled so I guess that is causing this. However we would like to keep the security defaults in place for obvious reasons.

Would there be any workaround to force outlook clients to properly authenticate using modern auth without making a new outlook profile for every user? It does work if we recreate the outlook profile btw

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,606 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,076 questions
{count} votes

6 answers

Sort by: Most helpful
  1. JimmySalian-2011 42,171 Reputation points
    2022-09-14T07:39:56.967+00:00

    Hi,

    Do you have old version of outlook? Can you check in signin logs there will be indicator of the failures in AAD.
    240760-image.png

    Check this article - block-legacy-authentication

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Anonymous
    2022-09-14T07:45:28.2+00:00

    Hi Jimmy, I have the newest Office365 clients installed. If I create a new outlook profile it connects without any problems. The issue only appears when a user mailbox is moved and the user tries to open outlook with the existing outlook profile. It is configured to connect to the on prem Exchange server but it gets redirected to Exchange onlin because the mailbox is moved. When that happens we do not get the modern authentication pop-up but the 'old' credential prompt. Then the sign-in logs in Azure show: ![240916-image.png][1] [1]: /api/attachments/240916-image.png?platform=QnA

    0 comments No comments

  3. JimmySalian-2011 42,171 Reputation points
    2022-09-14T08:02:49.837+00:00

    Hi anonymous user ,

    Do you see error code AADSTS50000 in AAD console? If yes then you will have to raise a support ticket with Microsoft for this token issuance error - create-ticket

    240971-image.png

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  4. Anonymous
    2022-09-14T10:48:12.5+00:00

    Hi Jimmy,

    I did not see that error however I did contact Microsoft support. There is a registry key that forces outlook to use modern auth:

    1. Exit Outlook.
    2. Start Registry Editor by using one of the following procedures, as appropriate for your version of Windows:
    3. Windows 10, Windows 8.1, and Windows 8: Press Windows Key + R to open a Run dialog box. Type regedit.exe, and then press Enter.
    4. Windows 7: Click Start, type regedit.exe in the search box, and then press Enter.
    5. In Registry Editor, locate and click the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Exchange
    6. On the Edit menu, point to New, and then click DWORD Value.
    7. Type AlwaysUseMSOAuthForAutoDiscover, and then press Enter.
    8. Right-click AlwaysUseMSOAuthForAutoDiscover, and then click Modify.
    9. In the Value data box, type 1, and then click OK.
    10. Exit Registry Editor.

    After adding that registry key I was able to perform a mailbox move and have outlook reconfigure itself without the use for a new profile.


  5. JimmySalian-2011 42,171 Reputation points
    2022-09-14T10:56:53.607+00:00

    Hi Eddy,

    Glad to know the issue is resolved and yes there is detailed article on this and it will resolve your issue - enable-modern-authentication

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.