Continuous prompts for credentials are typically due to basic auth still being allowed in your o365 tenant as MFA requires Modern Auth. Older tenants (pre-2017 do not have Modern Auth turned on by default), so you have to manually enable it. From https://portal.microsoft.com browse to Settings > Org Settings > Modern Authentication and turn it on if it’s off.
Ideally, you’ll want to disable basic auth while you are at it, but this may take a lot of work depending on your environment. You can check for basic auth in use by going to Azure AD admin center, clicking sign-ins, add a filter for status = successful, and a filter for clientapp and add all 13 of the legacy authentication options. If you see no sign-ins in the last month, then turn off all basic auth options in the same spot you enabled modern auth in the pic above. NOTE: only turning on MFA will not stop bad actors from easily bypassing MFA and breaching your environment. You have to turn on MFA, AND turn off basic auth in order to be safe. One other thing to point out is that unless you are using the conditional access method to protect your Office 365 tenant then only the federated domains are protected with Duo MFA. This means that for any .onmicrosoft.com sign-ins that are configured for any user account they will not be protected by MFA. If you only have a “break glass” account using the .onmicrosoft.com domain, and it’s got an extremely long password then you are fine, but any others you’ll either need to change their domain to your custom domain or protect them with Azure MFA (the standard free tier is sufficient).
After you have basic auth turned on, go to any problem workstations run this PowerShell command to tell Outlook to use Modern Authentication.
Set-ItemProperty -Path " HKCU:\Software\Microsoft\Exchange" -Name 'Always UseMSOAuthForAutoDiscover' -Value 1 -Type DWORD -Force "(remove the space between Always and UseMSOAuthForAutoDiscover)"
For Outlook 2013 you’ll need to deploy these regkeys:
Set-ItemProperty -Path "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity" -Name EnableADAL -Type DWORD -Force
Set-ItemProperty -Path "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity" -Name Version -Type DWORD -Force
Other keys you can safely set to ensure modern auth is working as advertised:
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\Identity" -Name EnableAdal -Value 1 -Type DWORD –Force
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\Identity" -Name Disable ADALatopWAMOverride -Value 0 -Type DWORD –Force "(remove the space between disalbe and ADALaptopWAMOverride)"
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\Identity" -Name DisableAADWAM -Value 0 -Type DWORD –Force
Hope that helps!