Office 365 MFA in Outlook 2016 on RDS Server

Question

I have enabled MFA in Office 365, now when a user opens Outlook 2016 on an RDS server, they need to re-enter their credentials when they connect to a new server.

The issue starts happening after MFA is enabled in Office 365 for a particular user. The MFA itself is working fine and there is no Azure AD Sync, so the local AD accounts are completely separate from the Office 365 accounts. Just to be clear, I am not trying to use MFA to log into the RDS servers, just for the Office 365 apps.

In our scenario, we have an RDS farm, with servers RDS1-10. When a user logs into RDS1, for example, then opens Outlook after MFA is enabled, they get prompted for their password, then the MFA response. Once this is entered, Outlook connects and works fine. The issue is when this user logs out, then back into a different RDS server, for example RDS5, when they launch Outlook they need to re-enter their password and their MFA response.

What I am asking is there a way to write-back their credentials, so if they authenticate correctly against Outlook in one of the RDS servers, they do not need to re-enter their credentials for the remaining RDS servers in the farm.

Answer 1

Hello @Grant Mitchell · Welcome to Q&A Platform and thanks for your query.

After successful authentication, regardless of whether it is single factor or multi factor, Access Token and Refresh Token pair is issued to the user. Access token is short lived (1 hr by default) and Refresh token is for 90 days by default. Now, at the expiry of the Access token, Refresh token is redeemed to get new access token and when refresh token is redeemed, no user interaction is required and no MFA prompt occurs. For security reasons, Refresh token is bound to application and device and can not be used on any other device. Which is why users are getting prompted for authentication when they login to any other server in the farm.

The best possible solution in this case would be to add the public address which represent your RDS farm in Trusted IPs on MFA portal so that you don't get MFA prompt on your corp network. For this purpose, go to Portal.azure.com > Azure Active Directory > Users > Click on Multi-factor Authentication link > Click on Service Settings > Under the option "Skip multi-factor authentication for requests from following range of IP address subnets" add the public IP address/Subnet that represents your RDS Farm as shown below:

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi @Grant Mitchell ,

From the perspective of Outlook client, it is normal that you need to re-enter the credentials when connecting to a new server. For example, when logging in to your email account on RDS1 and using MFA for verification. The information of the verification will be only applied to this Outlook client and it will make no affects on other Outlook clients in different devices. So, when logging into other Outlook clients, the verification is still required.

Besides, agree with @AmanpreetSingh-MSFT said, to achieve "no need to re-enter their credentials for the remaining RDS servers in the farm" you could try the skip authentication workaround amanpreetsingh-msft mentioned above.

---

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.