Problem
It seems like a very common situation: user has an account in office 365, wants use Outlook, tries to add Office 365 email account. Result is that they are faced with:
- A prompt for AzureAD credentials.
- A slow “Adding your account…” screen, which inevitably results in…
- A very unhelpful error message: “Something went wrong and Outlook couldn’t set up your account. Please try again. If the problem continues, contact your administrator”
After lots of searching the web, I didn’t easily find the cause. This was a problem I wasn’t sure whether to put down to a number of recent changes. IT could have been due to:
- Turning on Multi FActor Authentication (MFA) for the account in question
- Connecting to the account from a newly Azure AD (AAD) joined device
- Using Intune for the first time to deploy Office 365 to the machine in question
Analysis
Feel free to skip straight to the solution, but this section gives some more context in which the error occurred and may be useful to see whether it is the same as your situation.
In the end I realised, that when it was prompting for the Azure AD credentials, it was wanting an App Password, which I had forgotten was a thing, and had been supplying it with the user’s credentials.
“But…”, I said to myself, “surely in 2020 we are not expecting Outlook 2019/365 to be using an App Password, that is supposed to be for legacy apps…..”. Correct, but ignoring that Outlook is a piece of crap and should have had its day a decade ago… it does actually support “Modern Authentication”, otherwise known to the rest of the non-Microsoft world as OAuth2, but it relies on having a setting set in Exchange Online to enable that functionality. According to Microsoft documentation, this was turned off by default for any domain that was using Office 365 before 1st August 2017.
Solution
You need to enable OAuth2, aka Modern Authentication, to prevent the prompt for a password when connecting to Office 365 on an Azure AD joined device.
You might be hoping that you could just go in to the Exchange Admin Center and check a box to enable it… Wrong! No, you have to download a Powershell cmdlet to do it. Before you attempt to do this in your favourite browser, STOP! It has to be IE11 or the brand new (Jan 2020) Chromium-based version of Edge which support “click once”, whatever that is.
You will need to run the command to enable OAuth2 as an administrator in the tenant that you own. Depending on whether that account has MFA enabled, you need to follow different instructions. The Microsoft documentation explains the process, but I will summarise below.
Log in to the Exchange Admin Center
For non-MFA accounts, click the first configure button. For MFA-enabled accounts, use the other configure button that makes reference to this. The instructions below use an MFA-enabled account.
It should download and install some remote powershell cmdlets.
Run the following command in a cmd prompt:
1 |
winrm get winrm/config/client/auth |
if you get an error, open Windows Services on your PC and make sure that “Windows Remote Management” service is running. It wasn’t for me. After starting it, and re-running that command I received the necessary “Basic = true” confirmation.
Go back to the powershell prompt and run the following to connect to your domain, replacing the UPN with your admin account obviously. It should popup a box asking for any MFA details needed:
1 |
Connect–EXOPSSession –UserPrincipalName username@example.onmicrosoft.com |
Then run the following command to check whether Oauth2 is enabled or not. If you were getting the error at the top of this post, it should show as disabled.
1 2 3 4 5 6 |
Get–OrganizationConfig | Format–Table Name,OAuth* –Auto Name OAuth2ClientProfileEnabled —— ————————————— example.onmicrosoft.com False |
Run this command to enable OAuth2 in exchange:
1 |
Set–OrganizationConfig –OAuth2ClientProfileEnabled $true |
You should now be able to connect Outlook successfully. If for any reason you need to disable OAuth2 again, you can run this to disable it:
1 |
Set–OrganizationConfig –OAuth2ClientProfileEnabled $false |