A colleague of mine recently solved one of the biggest pain points I have dealt with regarding Office365 – that is, Microsoft’s seemingly hit-or-miss modern authentication.

Symptoms look like this:
1. Outlook client can’t connect and/or authenticate for end-users
2. Turning on Azure MFA for an end-user ruins their life (and yours) because all office applications, teams, etc. break.
3. Admins have an impending sense of “dread” when setting up systems for new users because 80% of the time they are going to spend hours sorting out the above issues.
4. You call Microsoft Support complaining of these issues and they are eventually stumped and tell you to rebuild the desktop/laptop from scratch… great for end-users that deal with this issue 1 year into the job and rather like their systems as-is… -or- MS Support tells you to pop a registry key into the end-user’s system which just disables Modern Authentication all together – which may fix Outlook but leaves many many other things broken…

If any of that sounds familiar, I highly recommend you read the article he published on linked-in…. this is THE SILVER BULLET to end your Microsoft Authentication woes: Solving Modern Authentication Issues with Office 365

I also document fixes like this here so this is the powershell that he wrote up to run on end-user systems experiencing these issues (stolen from article, all credit goes there)…

Get-AppxPackage Microsoft.AAD.BrokerPlugin

If that returns NOTHING then there is your issue… So proceed to run this:

if (-not (Get-AppxPackage Microsoft.AAD.BrokerPlugin)) { Add-AppxPackage -Register "$env:windir\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown } Get-AppxPackage Microsoft.AAD.BrokerPlugin

Then – if you did the thing (per MS support) where you added that registry key to disable Modern Auth… undo that and then clear cached credentials…

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Common\Identity" -Name "EnableADAL"
cmdkey /list | ForEach-Object{if($_ -like "*Target:*"){cmdkey /del:($_ -replace " ","" -replace "Target:","")}}

Once the above has all been run… Office365 authentication woes magically disappear and Azure MFA starts working… for everything.

My friend also provided this solution to Microsoft Support (in full) and they thanked him so hopefully other people won’t continue wrestling with this issue because support can NOW provide the right answer. (there are LOTS of people dealing with this right now…)



1 of 1

2 comments on: Modern Authentication Issues with Office 365 – FIXED – Don’t Just Disable Azure Active Directory Authentication Library (ADAL) – Instead… Fix It With This!

  1. Rustom

    Awesome work dude. This helps a lot.

    • nbeam

      Thanks, my colleague was the one that discovered it! It’s amazing because modern auth finally just WORKS and Azure MFA roll-out is no longer anger inducing for everyone involved.

Join the discussion

Your email address will not be published. Required fields are marked *