How to enable MFA for Outlook client using outside corporate network

pavan kumar 371 Reputation points
2022-01-25T19:52:42.037+00:00

hi,

i am looking for adding the MFA for Outlook Client (outlook 2019) using a conditional access when user access outside corporate network. is it possible via a conditional access policy or any other.

any ideas will be helpful.

Thanks
Pavan.

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,151 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,326 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,864 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Vasil Michev 94,206 Reputation points MVP
    2022-01-25T20:08:05.503+00:00

    Yes, that's a scenarios best addressed by Conditional Access policies, more specifically the "location" condition: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
    Outside of CA policies, you can also use the per-user MFA settings, where you can too define "trusted locations". However, this method has limited customizability compared to CA, and Microsoft will eventually deprecate the per-user MFA controls, so best use CA.


  2. Joyce Shen - MSFT 16,641 Reputation points
    2022-01-26T05:25:31.413+00:00

    Hi @pavan kumar

    According to my search, I found this link discusses the similar issue like yours, please check if this is your scenario: MFA not working in Outlook 2019 – Exchange Online
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Users can access Outlook on the web without any problems and get notifications sent to the “Microsoft Authenticator” app to approve or SMS if they choose one of the other authentication options.
    When it comes to Outlook 2019 they just repeatedly get asked for their email credentials in a standard type popup box as opposed to the newer MFA style popup that you see like when you login to https://office.com where it asks for email, then password, then MFA option.

    And the solution provided:
    1.Run PowerShell as admin
    2.Connect to Exchange Online
    3.make sure -OAuth2ClientProfileEnabled is set to $true, if not, running the command below

    Set-OrganizationConfig -OAuth2ClientProfileEnabled $true   
    

    This pretty much enables the use of MFA now for your Exchange Online tenant. It can take a few hours for things to propagate and for Outlook 2019 to make use of this. If you need to speed this process up you can add the following registry key to the users computer. Make sure to close Outlook first.

    HKEY_CURRENT_USER\Software\Microsoft\Exchange
    On the Edit menu, point to New, and then click DWORD Value.
    Type AlwaysUseMSOAuthForAutoDiscover, and then press Enter.
    Right-click AlwaysUseMSOAuthForAutoDiscover, and then click Modify.
    In the Value data box, type 1, and then click OK.
    Exit Registry Editor.

    Some related official document links:
    Connect to Exchange Online PowerShell
    Enable or disable modern authentication for Outlook in Exchange Online


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. pavan kumar 371 Reputation points
    2022-01-26T13:03:53.427+00:00

    Thank you for the info

    We are in hybrid and all mailboxes in o365. Is there any additional steps that I need to take care for enabling a modern authentication.