A colleague of mine recently solved one of the biggest pain points I have dealt with regarding Office365 – that is, Microsoft’s seemingly hit-or-miss modern authentication.

Symptoms look like this:
1. Outlook client can’t connect and/or authenticate for end-users
2. Turning on Azure MFA for an end-user ruins their life (and yours) because all office applications, teams, etc. break.
3. Admins have an impending sense of “dread” when setting up systems for new users because 80% of the time they are going to spend hours sorting out the above issues.
4. You call Microsoft Support complaining of these issues and they are eventually stumped and tell you to rebuild the desktop/laptop from scratch… great for end-users that deal with this issue 1 year into the job and rather like their systems as-is… -or- MS Support tells you to pop a registry key into the end-user’s system which just disables Modern Authentication all together – which may fix Outlook but leaves many many other things broken…

If any of that sounds familiar, I highly recommend you read the article he published on linked-in…. this is THE SILVER BULLET to end your Microsoft Authentication woes: Solving Modern Authentication Issues with Office 365

I also document fixes like this here so this is the powershell that he wrote up to run on end-user systems experiencing these issues (stolen from article, all credit goes there)…

Get-AppxPackage Microsoft.AAD.BrokerPlugin

If that returns NOTHING then there is your issue… So proceed to run this:

if (-not (Get-AppxPackage Microsoft.AAD.BrokerPlugin)) { Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown } Get-AppxPackage Microsoft.AAD.BrokerPlugin

Then – if you did the thing (per MS support) where you added that registry key to disable Modern Auth… undo that and then clear cached credentials…

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Common\Identity" -Name "EnableADAL"
cmdkey /list | ForEach-Object{if($_ -like "*Target:*"){cmdkey /del:($_ -replace " ","" -replace "Target:","")}}

Once the above has all been run… Office365 authentication woes magically disappear and Azure MFA starts working… for everything.

My friend also provided this solution to Microsoft Support (in full) and they thanked him so hopefully other people won’t continue wrestling with this issue because support can NOW provide the right answer. (there are LOTS of people dealing with this right now…)

Cheers!

REFERENCE:
https://www.linkedin.com/pulse/solving-modern-authentication-issues-office-365-chris-leet/

10 comments on: Modern Authentication Issues with Office 365 – FIXED – Don’t Just Disable Azure Active Directory Authentication Library (ADAL) – Instead… Fix It With This!

  1. Rustom
    Reply

    Awesome work dude. This helps a lot.

    • nbeam
      Reply

      Thanks, my colleague was the one that discovered it! It’s amazing because modern auth finally just WORKS and Azure MFA roll-out is no longer anger inducing for everyone involved.

  2. Trevor
    Reply

    Truly, You and your colleague deserve a medal. Excellent work.

    I’d been using the EnableADAL = 0 registry hack to fix 365 login prompts not appearing for several months now, and only recently realised it was breaking MFA in the process.

    • nbeam
      Reply

      Thanks! – Microsoft has made it official guidance apparently so I am glad it finally made it up. This frustrated us, literally, for years :/

  3. Chris Gibbs
    Reply

    Microsoft has officially acknowledged the issue and provided guidance on this https://docs.microsoft.com/en-us/office365/troubleshoot/authentication/automatic-authentication-fails

    • nbeam
      Reply

      Hooray! – thanks for this 🙂

  4. Krishna
    Reply

    thanks brother it really worked, much appreciated.

  5. John Beranek
    Reply

    I was really hopeful when I found this, but unfortunately it doesn’t work on my troublesome laptop.

    With EnableADAL=0 set, Outlook and other Office apps mostly work (though I did end up with Outlook continuously prompting me to login just recently…).

    Attempted your fix, threw in a few reboots for good measure but with EnableADAL reg key removed I’m just back to Office being unable to sign me in, and Outlook not working.

  6. Mitch
    Reply

    Thank you so much for this! It helped me narrow down the issue on our 2019 RDS Farm. The Get-AppxPackage Microsoft.AAD.BrokerPlugin wouldn’t return anything so I ran the command to fix and that worked until signing back in. Then Get-AppxPackage Microsoft.AAD.BrokerPlugin again would return nothing. Come to find out when we were having some issues with black screens on login (that ended up being related to RDP using UDP instead of strictly TCP), we had disabled the App Readiness service. Set that service back to manual and now every time the Get-AppxPackage Microsoft.AAD.BrokerPlugin is run it returns the expected results as well as everything works now. Freaking awesome, thank you!!!!

Join the discussion

Your email address will not be published. Required fields are marked *