If you care about your Security, then you need to take an extra step and tun on two-step verification in your account. (If you don’t know how, please check this link below this article)
Multi-Factor Authentication* (MFA) in your Outlook.com /Hotmail / MSN etc accounts. This will ensure that, to have an extra layer of security against hackers.
But once you do that and you might face an issue as I did, Microsoft Outlook part of your Office suite will keep promoting to enter your password as the below screenshot
You might see the format as :” microsoftaccount\@Youremail@outlook.com ”
Of course, you will go ahead and will type your usual password right? Unfortunately, this is wrong. You will need to go to your Microsoft Authenticator app and enter the password which is given in your app, as the below screenshot
Outlook
*Enable Two Step Verification in your Free Email account via Microsoft Authenticator :
- Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction
CISO Insight
The Outlook password loop is one of the most common helpdesk tickets in any enterprise environment. What most users do not realise is that this issue is almost always caused by enabling multi-factor authentication without updating the application-specific password or switching to modern authentication (OAuth 2.0). As a CISO, I see this as a positive signal — it means MFA is working. The inconvenience is a small price for the security gain.
Why This Matters for Enterprise Security in 2026
Multi-factor authentication remains the single most effective control against credential-based attacks. Microsoft’s own data consistently shows that MFA blocks more than 99 per cent of automated account compromise attempts. Yet adoption in enterprise environments still lags, partly because of user friction issues exactly like the Outlook password loop described above.
The root cause is almost always a mismatch between legacy authentication protocols and modern security requirements. When an organisation enables MFA on Microsoft 365 or Azure AD (now Entra ID), older Outlook clients that rely on Basic Authentication cannot negotiate the additional authentication factor. The result is an endless password prompt that frustrates users and drives helpdesk call volume.
The Fix: Modern Authentication and App Passwords
The permanent solution is to ensure all Outlook clients are using Modern Authentication (OAuth 2.0). For Microsoft 365 environments, this is enabled by default on current Outlook versions. For older clients or legacy configurations, generating an application-specific password through the Microsoft account security settings resolves the loop without compromising MFA protection.
For enterprise IT teams, the recommended approach is to disable Basic Authentication entirely at the tenant level via Exchange Online PowerShell or through a Conditional Access policy in Entra ID. This eliminates the password loop and simultaneously closes a significant attack surface that threat actors regularly exploit in password spray and credential stuffing campaigns.
Practical Steps for IT Administrators
First, audit your environment to identify any clients still using Basic Authentication. Microsoft provides sign-in logs in the Azure portal that show the authentication protocol used for each connection. Second, communicate the change to users before enforcement — the Outlook password prompt is confusing and generates unnecessary support tickets if users are not prepared. Third, enforce Modern Authentication via Conditional Access and monitor for any legacy protocol fallback attempts, which may indicate misconfigured devices or shadow IT.
Frequently Asked Questions
Why does Outlook keep asking for my password after enabling MFA?
Outlook prompts repeatedly when it cannot complete the multi-factor authentication handshake. This typically happens with older Outlook versions that use Basic Authentication instead of Modern Authentication (OAuth 2.0). Updating Outlook to the latest version or generating an app-specific password resolves the issue.
Is it safe to use app passwords with MFA enabled?
App passwords are a legacy workaround and should be treated as temporary. They bypass MFA for specific applications, which reduces security. The better long-term solution is to migrate all clients to Modern Authentication and disable Basic Authentication entirely.
How do I check if my Outlook is using Modern Authentication?
In Outlook, go to File > Office Account. If you see a “Sign Out” option and your profile shows your Microsoft 365 account, Modern Authentication is active. Alternatively, IT administrators can check the Azure AD sign-in logs for the authentication protocol used by each client connection.
Related reading: For more on identity-first security and Zero Trust authentication strategies, visit our Zero Trust Security Hub or download the free CISO Toolkit for enterprise security governance templates.