Question

Is there a way to purge locally cached files and/or registry entries on Windows 10 that assist with making the single sign-on modern authentication experience with Outlook M365 work, where once this data is purged, the app will have to prompt for the modern authentication again? (I know it'll store this data locally again)

Or

What options are available to assist with keeping M365 modern authentication enabled at the Exchange Online/Azure AD level, but force basic authentication on specific devices regardless of the user that signs onto it with Outlook M365 desktop app?

Ultimate Goal: Need for Outlook M365 desktop app to prompt for password for whatever profile is picked at launch time on specific computers regardless of the Outlook user profile picked and even if that profile account authenticated successfully with modern authentication on a previous launch (even if 3 minutes ago for example).

Things tried

• Both disabling Cached Exchange Mode, wiping all local cache files and enabling it too (separate times)

• Toggling the User identification | Always prompt for login credentials options via registry settings in all cached mode enabled or disable scenarios to all applicable values possible with each configuration

  

• Purging all credentials from Credential Manager

• Slews of Googling with a few posts that haven't helped either

  • Can't disable saved passwords Outlook

  • How do I make Outlook prompt for a password

  • There an Office GPO setting "Prevent saving credentials for Basic Authentication policy", but setting it won't apply since modern authentication is always used. I'm not finding any equivalent options here for modern authentication though.

    

  • Read about Primary Refresh Token and thought about figuring out where this token is located on the local machine and a solution at that level to wipe, prevent saving, etc. to see if that'd help but seems a bit brute force to start

  • Read about conditional access policies using Common identity and device access policies but not sure if this could handle it or if there's a simpler way before diving into this

Requirements/Issues

• To use Outlook M365 desktop app and not be required to use Outlook on the web \ OWA

• To have any Outlook M365 desktop app profile selected and always have it prompt to authenticate

  • If user1 profile previously authenticated using the modern auth, user2 can walk up even after a PC reboot and pick user1 profile, and it allows them access without a password prompt

• Need to keep modern authentication enabled Azure AD/Exchange Online wise regardless so users on their own machines signed on with their own Windows profiles still works for Seamless Single Sign-on.

• Prefer to not enable MFA\2FA on the Azure AD accounts to as a solution and just have it use modern authentication or basic authentication.

• Using Basic Authentication on these machines for Outlook to prompt for credential is NOT a requirement if there's a way to do this with modern authentication.

Environment specifics

• Windows 10 Enterprise (20H2)
  • The Windows user account auto logs onto Windows with an on premise AD account that does not have an Azure AD license assigned to it but it does Azure AD sync. When the user walks up, they do not need to log into Windows and just pick their Outlook profile to access their email.
• Azure AD M365 licensed accounts do not log into Windows on these machines
• Outlook M365 (M365 Apps for Enterprise)
  • Azure AD account will connect to Exchange Online mailbox by building a profile and authenticate when selected
  • Could be 5 different Azure AD accounts/Exchange Online mailboxes that need to connect at different times in a day
• Exchange Online (mailbox connections)
• Azure AD sync'd from on premise AD via Azure AD Connect
  • Pass the hash sync configuration