Hi guys and girls, hope you are doing well, as the pandemic is still on-going, hope that you guys are keeping cleanliness and safety first.
Today’s topic is about exchange migration of mailboxes from on-premises to Office 365. This issue is where the legacy windows client or legacy office apps has issue with their outlook applications keeps prompting for credentials and showing disconnection. The issue also do happen to Windows 10 machines but not as aggressive as the Windows 7 machines.
This environment has the following items,
Exchange server: 1 unit, version 2013, CU23 (latest)
Windows client: Combination of Windows 7 and Windows 10
Office applications: Combination of 2013, 2016, 2019 and Microsoft 365 apps for business in both windows 7 and windows 10 categories
Migration method: Remote move migration
Hybrid establishment: Yes
Microsoft 365 license: Business standard/basic
As we all know that the major pre-requisites must met before starting the hybrid and perform migration.
We notice intermittent connections while running the Wireshark on Windows 7 with M365 business apps, while trying to login using the migrated account credential on an Outlook app. We ran a re-creation of the outlook profile and the prompt for credential has stops. This is definitely not the right solution. Solutions is dependent with what caused the issue.
At first we suspected something got to do whitelisting on the network layer but we had confirmed that the whitelisting are correctly configured. Next, we suspected something go to do with compatibility on windows with/or office apps version. This is not a very good idea. After quick research, I came about modern authentication could be the caused, and there where I had an idea on suggesting to turn off the security default in Azure portal and then turn off the modern authentication in Office 3655 tenant. After 10 to 15 mins, the intermittent connections no longer shows up on the Wireshark.
Modern authentication is enabled by default for every new Office 365 tenants, so please be aware if your environment has legacy windows client running or legacy office applications, do consider to turn them off first before proceeding to deploy Microsoft 365 apps.
Modern authentication was the one the interfered with the machines and it kept challenging the users to key in credentials due to the compatibility was not met. Once the modern authentication is turn off, the environment now is running basic authentication.
Ever faced grey out present status in your outlook? You start to wonder was it the settings block from office 365, or is your firewall blocking, or is there registry configured?
If you have ask above questions and also checked that none above related then the next question you should ask yourself is “What Office 365 license I’m on?“. The answer is if you are not using any Office 365 enterprise license, or your Office installer is “Home and Business” you will not have the online status feature. Is a limitation based on type of license that you subscribed.
Hence, get consultation and get to understand about the licenses that you are going to purchase.
How to check?
Open your Outlook App > Click on File at top left
Click on Options at the left side bar
Click on People > Scroll down you will see this grey out
Microsoft provide notice to end users that has Azure Information Protection enabled and Policy has set to them. It does not matter either you are on Azure Information Protection Classic or Unified labeling.
When you first launch your office application or relaunch it you will get this notice.
I am having an Office ProPlus application, using Windows 10 Pro. Azure Information Protection stands for AIP. I will use AIP term throughout this post. Making sure AIP is enabled at the Global administrator side.
If you are wondering “Hey, I do not want my users to be having the privileged to uninstall AIP application from their devices”, well I will explain more on the next post 🙂 !
First of all, understand that I also went through trouble with this modern authentication that is turn on and causing you to see “Always prompt for logon credentials” option is grey out under Outlook application. You would like to have app password for your outlook application but got stop to proceed so because of modern authentication. Is also troublesome to have to keep on keying the code whenever you are re-login your Outlook application without the app password setup on your Outlook account.
*Modern authentication only supports 2013 or the earlier release, please refer to reference for further information
Example for Outlook 2016;
Where to see the grey out “Always prompt for logon credentials”?
File > Info > Account settings > Account Name and Sync Settings > Select More Settings > go to Security tab
However, to sign in with app password, there are 2 options;
If you have an existing account in your Outlook application and have “Always prompt for a password to log in” is enabled then you will just have to key in the app password in the prompt panel.
If you are re-adding or add new account then you will have to key in the app password during your setup of the account for your Outlook application.
*These options doesn’t just limit to Outlook application only
So to disable the modern authentication you may need to add-on a registry;
Go to registry
Locate this directory HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL
If “EnableADAL” registry is not created yet then create it as DWORD and set the value to “0”
If you have already has this registry then just change the value to “0”
Close the registry and restart your Outlook application (by closing and re-open)
You will see the prompt for the credential to log in is shown while you launch your Outlook application
Key in your app password and select remember password
*Is much simple to add registry
*But I recommend that you remove the profile and then re-add
If you have an environment that is newly deploy or newly upgraded and after few months, than you have only encounter your Outlook frequently shows the pop-up for credentials. Thus, you have no idea, how come there would be such issue happen, even though you have deploy it with best practice.
To check what is causing this situation is to run wireshark;
Run wireshark on a user’s computer, either connected to LAN or Internet.
Close all necessary applications
Open and run the wireshark
Open Outlook only
If no pop-up shown, than open other microsoft applications, such as excel or skype for business
If than pop up shown, than stop and save your wireshark logs
Analyse the wireshark logs
You will probably see there is multiple re-transmission of the firewall connection, which successful and than fail instantly
This could be your firewall issue that causes the pop up
You can also check from Event viewer from the user’s computer, based on the similar steps for wireshark
For such situation happen, the only assumption you will ask yourself is;
Has there be changes with firewall?
Is the firewall having issue?
Is my exchange or exchange hybrid having issue?
Is my ADFS having problem? (You can check from portal access is it accessible, if yes than ADFS is not the problem)