As of ~2018/07/10, attempting to sign in to https://outlook.office365.com using any MFA-enforced, AD-synced O365 accounts and any web browser on any device on any network doesn't prompt for the TOTP and, instead, fails with the following error message:
:-(
Something went wrong
We can't get that information right now. Please try again later.
X-ClientId: E69D5A6642C242AC9C337AF8EC04AC95
request-id 19bf2ff2-1040-4772-b207-487b71b0adef
X-Auth-Error OpenIdConnect Microsoft.Exchange.Security.OpenIdConnect.OpenIdConnectIdpException
X-OWA-Version 15.20.973.23
X-FEServer DB6PR04CA0014
X-BEServer CWXP265MB0983
Date:27/07/2018 13:59:39
An exception to this is that, on Windows PCs, Microsoft's web browsers (Internet Explorer and Microsoft Edge) offer "Connected to Windows" sign-in options which work fine, presumably because they skip the MFA / TOTP step due to a previous successful and Windows-registered sign-in.
MFA-enforced, in-cloud O365 accounts are unaffected.
The Office 365 Admin Center’s service health and Azure AD Connect's Synchronization Service Manager both report no problems / errors.
Apps (Microsoft Outlook, Skype for Business, etc) connected to the affected O365 accounts continue to work but attempting to sign into new ones simply re-prompts for the password.
Literally the only things that I've managed to find online are the following none of which were helpful, hence this post:
- https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_dirservices-mso_o365b/issue-with-office-365-azure-login/a8509ab6-201c-49dc-8112-9f574072482a
- https://www.erroraway.com/Questions-and-Discussions/201804/12/a8509ab6-201c-49dc-8112-9f574072482a.html / https://www.dllrepairfree.com/201805/31/a8509ab6-201c-49dc-8112-9f574072482a.html
- https://twitter.com/alnsportsmouth/status/983615870915100672
Best Answer
Following my comments with @maweeras, I reconfigured Azure AD Connect changing the user sign-in mode from pass-through authentication (we didn't need it) to password hash synchronization which immediately resolved the problem.
Update: 2018/08/01 15:00
This morning, out of curiosity, I reconfigured Azure AD Connect changing the user sign-in mode from password hash synchronization back to pass-through authentication which completed with the following status message:
As advised by https://social.msdn.microsoft.com/Forums/en-US/81673e69-1220-4231-a9c0-0753f4aa3455/azure-ad-connect-443-may-be-blocked?forum=WindowsAzureAD, on the server, I browsed to https://aadap-portcheck.connectorporttest.msappproxy.net/ which loaded fine and all tests passed.
In any case, I’m now able to sign-in to Office 365 using the same affected Office 365 user accounts so I don’t know what the original problem was.