0

For an email account that is in Exchange Online, if a user connects to our VPN, and then tries to open Outlook (the Windows app), they get prompted to authenticate with Exchange Online. But it fails, I believe due to the fact that it requires MFA, but Outlook cannot seem to provide an MFA response, but AAD requires one. So it just continuously pops up a password prompt, but it's not enough to authenticate.

It is asking for the MFA because the IP of the the laptop that's connecting, is not in a whitelisted/conditional access granted safe location, and so it requires MFA. Hard to add, since these external laptop IP's often change.

I should note that if I turn off split tunnel in the VPN, and all packets are sent through our corporate network, then Outlook will authenticate properly, because the request is coming from our business IP, which has been whitelisted so no MFA is required.

Anyone know how to make Outlook act smarter, and do a Modern Authentication connection? We had already added the registry key "AlwaysUseMSOAuthForAutoDiscover" to allow Modern Authentication methods for Outlook.

Thanks,

Kshaeta
  • 1
  • 1
  • Seems find a similar question discussed here: https://www.reddit.com/r/Office365/comments/doalxh/o365_modern_auth_2fa_and_vpns/ And have you checked the official document here, introduced the Advanced scenarios with Azure MFA Server and third-party VPN solutions: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-vpn – joyceshen Jul 22 '22 at 03:57
  • It does seem to be very similar. It lead me to what I think is the issue, which was Exchange Online doesn't have Modern Authentication enabled. https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online – Kshaeta Jul 22 '22 at 16:25

0 Answers0