A colleague of mine recently solved one of the biggest pain points I have dealt with regarding Office365 – that is, Microsoft’s seemingly hit-or-miss modern authentication.

Symptoms look like this:
1. Outlook client can’t connect and/or authenticate for end-users
2. Turning on Azure MFA for an end-user ruins their life (and yours) because all office applications, teams, etc. break.
3. Admins have an impending sense of “dread” when setting up systems for new users because 80% of the time they are going to spend hours sorting out the above issues.
4. You call Microsoft Support complaining of these issues and they are eventually stumped and tell you to rebuild the desktop/laptop from scratch… great for end-users that deal with this issue 1 year into the job and rather like their systems as-is… -or- MS Support tells you to pop a registry key into the end-user’s system which just disables Modern Authentication all together – which may fix Outlook but leaves many many other things broken…

If any of that sounds familiar, I highly recommend you read the article he published on linked-in…. this is THE SILVER BULLET to end your Microsoft Authentication woes: Solving Modern Authentication Issues with Office 365

I also document fixes like this here so this is the powershell that he wrote up to run on end-user systems experiencing these issues (stolen from article, all credit goes there)…

Get-AppxPackage Microsoft.AAD.BrokerPlugin

If that returns NOTHING then there is your issue… So proceed to run this:

if (-not (Get-AppxPackage Microsoft.AAD.BrokerPlugin)) { Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown } Get-AppxPackage Microsoft.AAD.BrokerPlugin

Then – if you did the thing (per MS support) where you added that registry key to disable Modern Auth… undo that and then clear cached credentials…

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Common\Identity" -Name "EnableADAL"
cmdkey /list | ForEach-Object{if($_ -like "*Target:*"){cmdkey /del:($_ -replace " ","" -replace "Target:","")}}

Once the above has all been run… Office365 authentication woes magically disappear and Azure MFA starts working… for everything.

My friend also provided this solution to Microsoft Support (in full) and they thanked him so hopefully other people won’t continue wrestling with this issue because support can NOW provide the right answer. (there are LOTS of people dealing with this right now…)



14 comments on: Modern Authentication Issues with Office 365 – FIXED – Don’t Just Disable Azure Active Directory Authentication Library (ADAL) – Instead… Fix It With This!

  1. Rustom

    Awesome work dude. This helps a lot.

    • nbeam

      Thanks, my colleague was the one that discovered it! It’s amazing because modern auth finally just WORKS and Azure MFA roll-out is no longer anger inducing for everyone involved.

  2. Trevor

    Truly, You and your colleague deserve a medal. Excellent work.

    I’d been using the EnableADAL = 0 registry hack to fix 365 login prompts not appearing for several months now, and only recently realised it was breaking MFA in the process.

    • nbeam

      Thanks! – Microsoft has made it official guidance apparently so I am glad it finally made it up. This frustrated us, literally, for years :/

  3. Chris Gibbs

    Microsoft has officially acknowledged the issue and provided guidance on this https://docs.microsoft.com/en-us/office365/troubleshoot/authentication/automatic-authentication-fails

    • nbeam

      Hooray! – thanks for this 🙂

  4. Krishna

    thanks brother it really worked, much appreciated.

  5. John Beranek

    I was really hopeful when I found this, but unfortunately it doesn’t work on my troublesome laptop.

    With EnableADAL=0 set, Outlook and other Office apps mostly work (though I did end up with Outlook continuously prompting me to login just recently…).

    Attempted your fix, threw in a few reboots for good measure but with EnableADAL reg key removed I’m just back to Office being unable to sign me in, and Outlook not working.

  6. Mitch

    Thank you so much for this! It helped me narrow down the issue on our 2019 RDS Farm. The Get-AppxPackage Microsoft.AAD.BrokerPlugin wouldn’t return anything so I ran the command to fix and that worked until signing back in. Then Get-AppxPackage Microsoft.AAD.BrokerPlugin again would return nothing. Come to find out when we were having some issues with black screens on login (that ended up being related to RDP using UDP instead of strictly TCP), we had disabled the App Readiness service. Set that service back to manual and now every time the Get-AppxPackage Microsoft.AAD.BrokerPlugin is run it returns the expected results as well as everything works now. Freaking awesome, thank you!!!!

  7. Glenn Payne


  8. Robert Eagar

    This finally ended a whole day of painful troubleshooting. Thank you!!!

  9. Christopher Holleman

    We are migrating to a new domain and are having all sorts of problems. We have found a solution where we sign out of all MS Office apps, move the accounts, then re-sign in, but this is a very manual process and not ideal for over 1000 users. Initially, the issue was only resolved by creating a new user profile, until we found the sign out solution. I have read suggestions that mention deleting the AAD.Broker folder. If that folder is present, does that mean the package is installed?

  10. Kathy

    Thank you for sharing this. This worked!

Join the discussion

Your email address will not be published. Required fields are marked *