I've had two customers lately running Office 365 encountering problems when enabling Multi Factor Authentication on their accounts.  Outlook would throw a fit and refuse to authenticate. But every other Office application looked fine.

All the computers were Azure AD joined, Windows and Office logins worked normally. The web worked normally. But Outlook just stubbornly refused to the authenticated.

The Login audit for the impacted user indicated that Outlook was a Legacy client which got me thinking (I should note, this was raised with MS Support and they didn't have a clue and were going down the rabbit hole of ADAL conflicts with Win 10 ...)

It turned out that in both of the cases the tenant was created a LONG time ago, and subsequently defaulted to an old set of configuration - in particular, OAuth was disabled (it was added a few years ago if I recall) - and so needed to be enabled as this is the auth flow used for Modern applications where MFA is enabled.

To enable:

  1. Install the Exchange Command-lets from the Exchange Admin Center
  2. Connect to your session as a Global Admin:
    $session = New-CsOnlineSession -Credential (Get-Credential)
    Import-PSSession $session
  3. Enable OAuth:
    Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true