You are trying to add an Outlook account to a device or app that does not support modern authentication, but the app password you generated fails to connect. This problem occurs because Microsoft has disabled app passwords for tenants using modern authentication, yet some legacy apps still require them. This article explains why app passwords stop working with modern authentication and provides the correct steps to fix the connection.
Key Takeaways: Fixing Outlook App Password Failures with Modern Authentication
- Azure AD > Users > Per-user MFA > Service settings: Turn off app passwords for the entire tenant or for specific users to enforce modern authentication.
- Outlook app > File > Account Settings > Server Settings: Set the incoming and outgoing server to use SSL/TLS and port 993 for IMAP or port 995 for POP to force modern auth.
- Microsoft 365 admin center > Org settings > Modern authentication: Enable modern authentication globally so legacy apps fall back to OAuth 2.0 instead of using app passwords.
Why App Passwords Stop Working When Modern Authentication Is Enabled
App passwords are a legacy authentication method designed for apps and devices that do not support modern authentication protocols like OAuth 2.0. When an organization enables modern authentication for Exchange Online, Microsoft automatically disables the use of app passwords for most protocols. This is a security feature: app passwords bypass multi-factor authentication MFA and create a static credential that is vulnerable to theft.
Modern authentication uses token-based authentication where the user authenticates interactively and receives a temporary token. App passwords use a fixed 16-character password that never expires. When modern auth is enabled, the Exchange Online server refuses app passwords for IMAP, POP, SMTP, and ActiveSync connections. The error message typically says “Your account configuration is outdated” or “The server rejected your credentials.”
The root cause is that the tenant administrator has enabled modern authentication globally in the Microsoft 365 admin center or has enabled security defaults in Azure Active Directory. Both settings block app passwords. The fix is either to turn off app passwords completely and switch to OAuth 2.0 or to re-enable app passwords for a specific user if the device absolutely cannot support modern auth.
How Modern Authentication Differs from App Passwords
Modern authentication requires the client to support OAuth 2.0. The user signs in with their regular password plus MFA if enabled. The client receives a token that is valid for a limited time. App passwords skip MFA and use a separate password generated from the Azure portal. When modern auth is on, the server rejects app passwords because they violate the security policy.
Steps to Fix Outlook App Password Failures
There are three methods to resolve this issue. Use the first method if you control the device and can update the email client. Use the second method if you must keep the legacy app. Use the third method if you are an administrator managing the tenant.
Method 1: Switch the Email Client to Use Modern Authentication
- Open Outlook and go to File > Account Settings > Account Settings
Select your email account and click Change. This opens the account configuration window. - Under Server Settings, click More Settings
Go to the Advanced tab. For Incoming server, set the port to 993 for IMAP or 995 for POP and choose SSL from the encryption dropdown. For Outgoing server, set port 587 and choose TLS. Click OK. - In the Change Account window, clear the box that says Log on using Clear Text Password
If this box is present, uncheck it. This forces Outlook to use OAuth 2.0 instead of basic authentication. - Click Next and wait for Outlook to test the connection
Outlook will prompt you to sign in with your full email address and password. Enter your regular password not an app password. If MFA is enabled, complete the MFA prompt. - Close the account settings and restart Outlook
Outlook now uses modern authentication and will no longer require an app password.
Method 2: Re-enable App Passwords for a Specific User
- Sign in to the Microsoft 365 admin center as a global administrator
Go to Users > Active users and select the user who needs the app password. - Click Manage multi-factor authentication on the user pane
This opens the MFA settings page in a new browser tab. - Click Service settings at the top of the MFA page
Scroll down to the App passwords section. Uncheck the box that says Allow users to create app passwords. This disables app passwords for the entire tenant. - If you want to allow app passwords only for this user, turn off modern authentication for that user
Go to Azure AD > Users > select the user > Authentication methods. Under App passwords, click Allow. Then remove the user from any conditional access policy that requires modern auth. - Generate a new app password for the user
Have the user sign in to https://account.activedirectory.windowsazure.com/AppPasswords and create a new app password. Use this 16-character password in the legacy Outlook app.
Method 3: Enable Basic Authentication for Specific Protocols in Exchange Online
- Connect to Exchange Online PowerShell as an administrator
Open PowerShell and runConnect-ExchangeOnline. Sign in with your admin credentials. - Check the current authentication policy
RunGet-AuthenticationPolicy | fl Name,AllowBasicAuth. This shows which protocols still allow basic authentication. - Enable basic authentication for the protocol your legacy app uses
RunSet-AuthenticationPolicy -Identity "Default" -AllowBasicAuthImap:$truefor IMAP or-AllowBasicAuthPop:$truefor POP. Replace “Default” with your policy name if different. - Assign the authentication policy to the user
RunSet-User -Identity "user@domain.com" -AuthenticationPolicy "Default". The user can now use an app password with basic authentication for that protocol.
If Outlook Still Has Issues After the Main Fix
Outlook Still Prompts for Password After Switching to Modern Auth
This happens when Outlook has cached old credentials in the Windows Credential Manager. Open Control Panel > Credential Manager > Windows Credentials. Look for any entry under Generic Credentials that contains “Outlook” or “MicrosoftOffice16”. Click the arrow to expand the entry and click Remove. Restart Outlook and sign in again.
App Password Works on One Device but Not Another
Each device must use a unique app password if the tenant allows app passwords. Check the device date and time. If the clock is off by more than five minutes, the server rejects the app password. Sync the device clock to time.windows.com and generate a new app password for that device.
Error “Your account settings are out of date” Appears Repeatedly
This error occurs when Outlook detects that modern authentication is required but the account is configured for basic auth. Run the Microsoft Support and Recovery Assistant from https://aka.ms/SaRA. Select Outlook > I’m having trouble with my password. The tool automatically detects the authentication type and updates the Outlook profile to use modern auth.
App Passwords vs Modern Authentication: Key Differences
| Item | App Passwords | Modern Authentication |
|---|---|---|
| Authentication method | Static 16-character password | OAuth 2.0 token with limited lifetime |
| Multi-factor support | Bypasses MFA | Supports MFA |
| Required client version | Any client that supports basic auth | Outlook 2013 or later with registry key, Outlook 2016 or later natively |
| Security risk | High, password can be stolen and reused | Low, token expires and is bound to the device |
| Admin control | Disabled by security defaults and conditional access | Enabled by default in Microsoft 365 |
You can now fix Outlook app password failures by switching to modern authentication or re-enabling app passwords for specific users. If your email client supports OAuth 2.0, use Method 1 to avoid future password issues. For legacy devices that cannot upgrade, use Method 2 or Method 3. As an advanced step, review your tenant’s conditional access policies in Azure AD to ensure that only the necessary protocols use basic authentication.