Office 365 continual MFA Loop

mapurcel
Contributor III

We are using Office 2016 with Office 365 and we use modern auth with multi-factor authentication (MFA). When you activate Office you see a mini browser pop open that walks the user through our MFA process.

All of a sudden our users are getting continually prompted for MFA and each time they go through the process is puts the ADAL credential in the login keychain, MicrosoftOffice15_2_Data.. is the 'kind', so a machine will have multiple copies of this item. The only way to get out of the loop is to clear these keychain items and go through MFA one more time.

We have a case open with Microsoft to determine if this is on them or our identity provider, just curious if anyone else is seeing something similar?

1 ACCEPTED SOLUTION

jconte
Contributor II

Sorry for the delay. I packaged up the script and put it in our hidden scripts folder, then I setup a policy in self service to run from that location with the --All --Force switches. Scoped it to everyone that has Office 2016 installed, even it they find it in self service it doesn't hurt anything to run it even if you aren't broken.

The helpdesk uses it and it has worked 100% so far.

Thanks
Jeff

View solution in original post

14 REPLIES 14

gatech-comm
New Contributor

It's a know issue with no fix yet. M$ will have to patch this at some point to fix it. The only fix is what you are doing now or a complete wipe and reinstall.

mapurcel
Contributor III

@gatech-comm do you have any other details on the issue, when it started etc? We were stable up until about 10 days ago when we started seeing the issue. On Windows machines we started seeing it a couple of weeks ago...

Doesn't seem to affect everyone but a significant number..

tdclark
Contributor

We are seeing this as well. What we've found is that if you do the keychain stuff from this link

Trouble shooting Office for Mac 2016

...the issue gets resolved.

gatech-comm
New Contributor

@mapurcel I noticed once the the 15.29.xxx updates were released. Prior on 15.28.x everything seemed fine. I'm not sure if it's a direct correlation, just when I noticed.

mapurcel
Contributor III

@gatech-comm thanks, that helps
@tdclark yeah just deleting the ADAL entries works for us, did this problem surface for you recently? Were you able to correlate to a particular version of Office?

tdclark
Contributor

@mapurcel 15.29 is when I started seeing it on my, and on my users, computer(s).

macmanmk
Contributor

We have been seeing the same thing and use Okta for authentication. The loop seems almost exclusive to Outlook 2016 as users aren't receiving prompts in the other Office 2016 apps. As others have suggested here and as Okta suggests, the issue only seems to get resolved when deleting MS ADAL keychain entries. Hopefully there is a more permanent solution soon.

talkingmoose
Moderator
Moderator

This issue may be the same one Microsoft has identified and will be fixing. From @pbowden in the #microsoft-office channel on Slack:

yes, the bug has existed for a long time, but the holidays have really exacerbated the problem. The issue typically occurs when a user attempts to auth using Outlook for Mac when their AD password has already expired.

Install the latest Insider Fast 15.31 version of Outlook on a test system and see if the problem persists. This version is suppose to address the issue and is slated for release next month.

In the meantime, Paul's script NukeOffKeychain on GitHub may help.

tdclark
Contributor

My password had not expired, and we don't have expiring passwords here on campus (for the most part). I can confirm this morning that the problem still exists in 15.30 as I had to go through the keychain delete "stuff" process first thing.

Hopefully 15.31 fixes it.

mapurcel
Contributor III

@talkingmoose that issue sounds a little different, in our environment its definitely not related to expired passwords. Also interesting to note that the same problem exists on Windows, which makes it a big issue in our company. We're testing a Windows Office update that may fix it...

jconte
Contributor II

we were having the same issue, thankfully Paul Bowden from Microsoft posted this on his github.

https://github.com/pbowden-msft/NukeOffKeychain

Slack is a great place to have your microsoft office issues addressed.

We put this is Self Service and when a user calls we have them run it and there problem is resolved. This issue is supposed to be resolved in February but at least we have a workaround.

Jeff

mapurcel
Contributor III

@jconte thanks! how did you deploy the NukeOffKeychain through Self Service?

jconte
Contributor II

Sorry for the delay. I packaged up the script and put it in our hidden scripts folder, then I setup a policy in self service to run from that location with the --All --Force switches. Scoped it to everyone that has Office 2016 installed, even it they find it in self service it doesn't hurt anything to run it even if you aren't broken.

The helpdesk uses it and it has worked 100% so far.

Thanks
Jeff

mapurcel
Contributor III

@jconte thanks, working great!
@talkingmoose thanks much for the link to the discussion on Slack, although in our environment I don't think its caused by expired AD passwords, it does appear that we are all dealing with basically the same bug.