Problem: Your environment has MFA and Outlook prompts for a password in a loop
Solution:
(h/t Van den Berge)
The cause
The issue is caused by a requirement for ‘Modern Authentication’ to be enforced. If you use Azure MFA as your multi-factor solution, Microsoft provide a workaround for the password loop problem. Each user gets an App Password to use for any applications that do not support Modern Authentication or any applications that are not enabled for Modern Authentication. Now, not everybody likes using app passwords since they are hard to manage and will place an extra workload on your Helpdesk.
The solution
The solution is enabling Modern Authentication which is disabled by default for Exchange Online but enabled by default for SharePoint Online. Skype for Business Modern Authentication has just come out of public preview.
First of all connect your PowerShell to Exchange Online in your Office 365 tenant, then run the following command: Get-OrganizationConfig
This will present a lot of info but the part we are interested in is illustrated below:
As you can see, OAuth2ClientProfileEnabled is set to False. This means Modern Authentication is disabled for Exchange Online. Set this to True by running:
Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true
Now you should see the following:
OK, now your tenant will accept Modern Authentication requests. Now we need to determine which applications will send the correct authentication. In my case Outlook 2016 now workes fine with 2FA enabled.