This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
hi,
i am looking for adding the MFA for Outlook Client (outlook 2019) using a conditional access when user access outside corporate network. is it possible via a conditional access policy or any other.
any ideas will be helpful.
Thanks
Pavan.
Just to clarify, are your mailboxes in the cloud (Exchange Online) or on-premises? You have tagged both Exchange on-prem and Online, so it's hard to tell. My answer below assumes you're using Exchange Online.
Yes, that's a scenarios best addressed by Conditional Access policies, more specifically the "location" condition: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
Outside of CA policies, you can also use the per-user MFA settings, where you can too define "trusted locations". However, this method has limited customizability compared to CA, and Microsoft will eventually deprecate the per-user MFA controls, so best use CA.
i have already configured the trusted location and using it in CA policy for MFA. but the desktop clients is not prompting for MFA when i sign in outside the corporate network.
Browser is good.
One other thing to check/enable is Continuous Access Evaluation - it will ensure that any changes in location are processed in a timely manner: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation
Hi @pavan kumar
According to my search, I found this link discusses the similar issue like yours, please check if this is your scenario: MFA not working in Outlook 2019 – Exchange Online
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Users can access Outlook on the web without any problems and get notifications sent to the “Microsoft Authenticator” app to approve or SMS if they choose one of the other authentication options.
When it comes to Outlook 2019 they just repeatedly get asked for their email credentials in a standard type popup box as opposed to the newer MFA style popup that you see like when you login to https://office.com where it asks for email, then password, then MFA option.
And the solution provided:
1.Run PowerShell as admin
2.Connect to Exchange Online
3.make sure -OAuth2ClientProfileEnabled is set to $true, if not, running the command below
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
This pretty much enables the use of MFA now for your Exchange Online tenant. It can take a few hours for things to propagate and for Outlook 2019 to make use of this. If you need to speed this process up you can add the following registry key to the users computer. Make sure to close Outlook first.
HKEY_CURRENT_USER\Software\Microsoft\Exchange
On the Edit menu, point to New, and then click DWORD Value.
Type AlwaysUseMSOAuthForAutoDiscover, and then press Enter.
Right-click AlwaysUseMSOAuthForAutoDiscover, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Some related official document links:
Connect to Exchange Online PowerShell
Enable or disable modern authentication for Outlook in Exchange Online
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for the info
We are in hybrid and all mailboxes in o365. Is there any additional steps that I need to take care for enabling a modern authentication.
Hi,
Take a reference at: Enabling modern authentication and MFA
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Hi,
Is there any progress about your issue so far?
we are exchange online all mailboxes.