Office 2016 defaults to Modern Authentications but falls back to Basic Authentication if Modern Authentication fails (i.e. it has not been enabled on the tenant). If 2-factor authentication (2FA) authentication is enabled on the tenant, clients will not be able to login with their regular passwords. The workaround it users will have to create an App Password to login.
We do not recommend App Passwords, because they are fixed length, no special characters (easier to brute force), tend to be written down and not removed when no longer in use. Therefore, they are generally less secure than single factor authentication with a good password policy. But we do recommend 2FA. Therefore, the solution is Modern Authentication should be enabled where possible such as for Exchange Online (which is disabled by default).
To turn on Modern Authentication, we need to be able to connect to Exchange administration with 2-factor authentication (2FA) that should be enabled already (ref: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps).
Using Internet Explorer or Edge (Chrome will not work), as an Exchange Administrator, go to https://admin.microsoft.com. In the left hand navigation, Admin centers > Exchange. A new tab should open, and at the bottom of the left hand navigation you should see Hybrid. On opening this page, you will see:
"The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely."
Click on Configure to download and install this module. PowerShell will now open. In the future, you will be able to open this by running Microsoft Exchange Online PowerShell Module.
You can now connect to Exchange online administration by running:
Enter your credentials to login using 2FA. Once we are connected, we can confirm that 2FA is current disabled for Exchange by running:
If we look through the long list, we should see:
OAuth2ClientProfileEnabled : False
To enable Modern Authentication, we therefore need to run the following command:
This should mean that clients, such as Outlook desktop clients, and iOS 11.01 and above mail client (ref: https://blogs.technet.microsoft.com/intunesupport/2017/09/12/support-tip-intune-support-for-ios-11/) should be able to connect using 2FA.
- Legacy applications such as Outlook 2013 may need additional registry key changes on the client to work with 2FA.
- Users should be up-to-date with Windows Updates (potential issues otherwise trying to connect with 2FA).