I've had a Microsoft support case open for about a month, and sad to say they're not living up to my usual experience with MS support. So I'll post this here.
About a month ago, we implemented Azure AD App Proxy to front-end our on-prem Exchange 2010, so that we could do MFA for OWA and mobile devices (technically, MFA for OWA and InTune enrollment, and using conditional access on EAS to require InTune. Voila.) It's generally working great. For Outlook Anywhere and EWS, we're simply allowing passthrough authentication instead of pre-auth, because on Ex2010, those protocols won't do MFA for clients, which is fine for us.
HOWEVER - Outlook for Mac (2016) won't work anymore.
IMPORTANT EDIT - As in the title, this is only when off-site, coming in through AADAP. When they connect to the CAS server directly (when on-prem or on VPN), it works the same as it always did. Our CAS servers didn't change.
So, EWS is working. If I take my Windows machine off-prem, Outlook can still connect to EWS because I can set my OOO and see free/busy.
Outlook for Mac won't connect. It complains about Kerberos, asks me to put in new info, and never connects. With MS support, we did a SSL capture with Charles (similar to Fiddler), and they say the issue is that we allow NTLM and Negotiate in EWS, and AADAP will always and only pass the strongest method to the client, and Mac Outlook won't work with Negotiate.
As a test, last night I removed Negotiate as a Windows Auth provider in IIS on our CAS servers, and my Mac started working, now using Basic auth according to Charles. However, Windows clients off-prem stopped being able to access EWS, so OOO, MailTips, free/busy were broken. We have a lot more Windows than Mac users so we reverted. I'm still working with MS, but the Azure AD team seems to have ghosted, the Exchange guy is out of his element (no fault to him), and they never even involved the Outlook for Mac team.
Anyone have any ideas about where to start?
