A colleague of mine recently solved one of the biggest pain points I have dealt with regarding Office365 – that is, Microsoft’s seemingly hit-or-miss modern authentication.
Symptoms look like this:
1. Outlook client can’t connect and/or authenticate for end-users
2. Turning on Azure MFA for an end-user ruins their life (and yours) because all office applications, teams, etc. break.
3. Admins have an impending sense of “dread” when setting up systems for new users because 80% of the time they are going to spend hours sorting out the above issues.
4. You call Microsoft Support complaining of these issues and they are eventually stumped and tell you to rebuild the desktop/laptop from scratch… great for end-users that deal with this issue 1 year into the job and rather like their systems as-is… -or- MS Support tells you to pop a registry key into the end-user’s system which just disables Modern Authentication all together – which may fix Outlook but leaves many many other things broken…
If any of that sounds familiar, I highly recommend you read the article he published on linked-in…. this is THE SILVER BULLET to end your Microsoft Authentication woes: Solving Modern Authentication Issues with Office 365
I also document fixes like this here so this is the powershell that he wrote up to run on end-user systems experiencing these issues (stolen from article, all credit goes there)…
If that returns NOTHING then there is your issue… So proceed to run this:
Then – if you did the thing (per MS support) where you added that registry key to disable Modern Auth… undo that and then clear cached credentials…
cmdkey /list | ForEach-Object{if($_ -like "*Target:*"){cmdkey /del:($_ -replace " ","" -replace "Target:","")}}
Once the above has all been run… Office365 authentication woes magically disappear and Azure MFA starts working… for everything.
My friend also provided this solution to Microsoft Support (in full) and they thanked him so hopefully other people won’t continue wrestling with this issue because support can NOW provide the right answer. (there are LOTS of people dealing with this right now…)
Cheers!
REFERENCE:
https://www.linkedin.com/pulse/solving-modern-authentication-issues-office-365-chris-leet/
Awesome work dude. This helps a lot.
Thanks, my colleague was the one that discovered it! It’s amazing because modern auth finally just WORKS and Azure MFA roll-out is no longer anger inducing for everyone involved.
Truly, You and your colleague deserve a medal. Excellent work.
I’d been using the EnableADAL = 0 registry hack to fix 365 login prompts not appearing for several months now, and only recently realised it was breaking MFA in the process.
Thanks! – Microsoft has made it official guidance apparently so I am glad it finally made it up. This frustrated us, literally, for years :/
Microsoft has officially acknowledged the issue and provided guidance on this https://docs.microsoft.com/en-us/office365/troubleshoot/authentication/automatic-authentication-fails
Hooray! – thanks for this 🙂
thanks brother it really worked, much appreciated.
I was really hopeful when I found this, but unfortunately it doesn’t work on my troublesome laptop.
With EnableADAL=0 set, Outlook and other Office apps mostly work (though I did end up with Outlook continuously prompting me to login just recently…).
Attempted your fix, threw in a few reboots for good measure but with EnableADAL reg key removed I’m just back to Office being unable to sign me in, and Outlook not working.
Sorry to hear that John. I know there are about 10 other things we used to attempt to do to fix this problem but for us this was the main problem. That said, one of the things we used a lot before was the Microsoft Support and Recovery Assistant. https://support.microsoft.com/en-us/office/resolve-outlook-for-windows-issues-with-automated-troubleshooting-tools-38e2342d-3527-4190-8754-a82d8b970fe2
I am not a fan of most automated tools but that one does actually do things to attempt to fix issues with Outlook and authentication (If I remember correctly). It may be worth a try + the above – or – there may be an issue with the backend office365 configuration or something else such that modern auth just will not work. 🙁
Thank you so much for this! It helped me narrow down the issue on our 2019 RDS Farm. The Get-AppxPackage Microsoft.AAD.BrokerPlugin wouldn’t return anything so I ran the command to fix and that worked until signing back in. Then Get-AppxPackage Microsoft.AAD.BrokerPlugin again would return nothing. Come to find out when we were having some issues with black screens on login (that ended up being related to RDP using UDP instead of strictly TCP), we had disabled the App Readiness service. Set that service back to manual and now every time the Get-AppxPackage Microsoft.AAD.BrokerPlugin is run it returns the expected results as well as everything works now. Freaking awesome, thank you!!!!
legend
This finally ended a whole day of painful troubleshooting. Thank you!!!
We are migrating to a new domain and are having all sorts of problems. We have found a solution where we sign out of all MS Office apps, move the accounts, then re-sign in, but this is a very manual process and not ideal for over 1000 users. Initially, the issue was only resolved by creating a new user profile, until we found the sign out solution. I have read suggestions that mention deleting the AAD.Broker folder. If that folder is present, does that mean the package is installed?