This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 23%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
I recently set up half of the users in my company to transition to a hybrid O365 environment, on-prem exchange with O365 licenses using Azure AD sync, but left some users fully on-prem. The fully on-prem users are having issues with Outlook consistently asking for their password, and locking them out in Active Directory when they enter the password. They are using Office 2019 and 2021.
I have cleared credential manager, and made the following registry changes with no luck: [HKEY_CURRENT_USER\Software\Microsoft\Exchange] "AlwaysUseMSOAuthForAutoDiscover"=dword:00000000 "ExcludeExplicitO365Endpoint"=dword:00000001 "ExcludeHttpsAutoDiscoverDomain"=dword:00000000 "ExcludeHttpsRootDomain"=dword:00000000 "ExcludeScpLookup"=dword:00000001
Any help would be greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 11%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETD%3C/text%3E%3C/svg%3E)
Hi @Alex Rodrigue
Thank you for posting your question in the Microsoft Q&A forum.
When Azure AD Connect is enabled, Outlook may still attempt to query the Office 365 Autodiscover endpoint (autodiscover-s.outlook.com), even if the user isn’t licensed for Exchange Online. This happens because the user’s UPN now exists in Azure AD, which triggers parts of the Autodiscover process that target Office 365.
You were on the right track with your registry keys, but some settings still allow external HTTPS lookups. Specifically, setting ExcludeHttpsAutoDiscoverDomain and ExcludeHttpsRootDomain to 0 permits Outlook to reach out externally, which can redirect to Office 365 if your DNS or Autodiscover virtual directory isn’t properly isolated. Additionally, Office 2019/2021 can cache OAuth discovery behavior based on prior hybrid connectivity, which may contribute to persistent login prompts.
Here are some steps you can take to mitigate the issue:
1.Make sure that autodiscover.company.com (your primary SMTP domain) resolves only to your on-prem Exchange server for internal and external clients.
Run: nslookup autodiscover.company.com
If it resolves to Microsoft 365, update your public DNS to point to your on-prem Autodiscover service.
2.You can expand your Autodiscover exclusions to fully block cloud-based Autodiscover attempts for on-prem-only users, apply the following registry settings:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover] "ExcludeExplicitO365Endpoint"=dword:00000001 "ExcludeHttpsAutoDiscoverDomain"=dword:00000001 "ExcludeHttpsRootDomain"=dword:00000001 "ExcludeScpLookup"=dword:00000000 "ExcludeSrvRecord"=dword:00000000 "ExcludeLastKnownGoodUrl"=dword:00000000
3.Since you’ve already cleared Credential Manager, also reset Outlook profiles to remove any cached modern auth attempts:
-Close Outlook
-Run: %localappdata%\Microsoft\Outlook
-Rename the folder ̣(Before renaming the folder, make sure to back up the Signatures and RoamCache folders if you want to preserve your email signatures and autocomplete data.)
-Recreate profile manually using Control Panel > Mail > Profiles > Add and set it as default.
4.If your Exchange on-prem still uses Basic or NTLM authentication (not Hybrid Modern Auth), ensure Outlook isn’t attempting OAuth.
Disable OAuth to prevent Outlook from attempting modern authentication:
[HKEY_CURRENT_USER\Software\Microsoft\Exchange] "AlwaysUseMSOAuthForAutoDiscover"=dword:00000000
And also:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity] "EnableADAL"=dword:00000000 "DisableADALatopWAMOverride"=dword:00000001
This forces Outlook to use legacy authentication for on-prem profiles.
I hope this helps resolve the login loop and lockout issues.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for the response. I followed these steps and still no luck. It's worth noting these users are not syncing with M365. They have a different logon domain than the 365 users (on-prem are .local while the 365 users are .com)
The user I tested all of these changes you suggested gets locked out in AD on initial logon attempt, and when I unlock the account and try again it works. But after a while it disconnects and asks for the login again and locks the user out again.
Hi @Alex Rodrigue
Thank you for your update.
In hybrid Exchange environments where Azure AD sync is not enabled, Outlook login issues often stem from mismatched credentials. This happens because the Windows logon domain uses a .local suffix, while Outlook tries to authenticate using the user's email address. Autodiscover behavior in hybrid setups can further complicate things, creating a loop of failed logins and lockouts.
A simple and effective way to resolve this is to update the user principal names in your on-premises Active Directory to match the users' email addresses. For example, change user@company.local to ******@company.com. This makes authentication consistent across Windows, Exchange, and Outlook, without requiring Azure AD sync or Office 365 licenses.
Before applying this change, ensure that company.com is added as an alternative UPN suffix under Active Directory Domains and Trusts.
You can use the following PowerShell script to apply this change:
Get-ADUser -Filter * -SearchBase "OU=YourOU,DC=company,DC=local" |
ForEach-Object {
$newUpn = $_.SamAccountName + "@company.com"
Set-ADUser $_ -UserPrincipalName $newUpn
}
Reference: Change UPN Suffix with PowerShell - ShellGeek.
Note: Microsoft is providing this information as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.
This approach helps eliminate credential mismatches and improves the overall stability of Outlook authentication in hybrid environments.
Hi @Alex Rodrigue
May I know if you had a chance to test the solution I shared? It would be great to know if it worked for your scenario. And if you encounter any issues or have questions, feel free to reach out. I’m happy to assist.