Just had an issue at a customers where the Outlook 2016 would start asking for username and password when MFA was activated at AD FS (AD FS 4.0 on Windows Server 2016).

Did the normal troubleshooting on AD FS, but all I could find was an error in event log: https://support.microsoft.com/ml-in/help/3044977/adfs-2-0-error-access-is-denied

Event ID 325 The Federation Service could not authorize token issuance for the caller.

Could not for the life of me figure out what was wrong, but I was pointed in the direction of activating Modern Authentication on the Office 365 tenant here.

Turns out OAuth2 is not enabled by default. This powershell command must be run (among others):

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true