If you have an Office 365 subscription, you can enable Multi-Factor Authentication (MFA)1 for end users which will add an additional layer of security. Enabling MFA makes client apps to require an app password to authenticate to Office 365 services. App passwords are randomly generated, long strings, that are not easy to remember. Therefore it won’t be convenient for end users to memorize these passwords. That’s when Office 365 modern authentication comes in to help.
Office 365 modern authentication helps Office clients to use Active Directory Authentication Library (ADAL) based authentication across platforms. This enables client apps to use features such as MFA, SAML-based third party identity providers, smart cards and certificate based authentication. Once enabled, this removes the need for Outlook to use basic authentication protocol.
In this post I will discuss how you can enable modern authentication support for your Office 2013 client apps and enable it for your Office 365 services.
Configuring Client Apps for Modern Authentication
Office 2016 client apps are by default enabled for modern authentication and therefore no additional configuration on client apps or the OS is required. Office 2013 client apps on the other hand, require a registry keys set in the OS to enable modern authentication support. To enable modern authentication support for Office 2013 client apps, set following registry keys on every computer that has Office 2013 client apps installed.
Configuring Office 365 Services for Modern Authentication
For the Office 365 services, the default state of modern authentication is:
- Turned off for Exchange Online by default.
- Turned on for SharePoint Online by default.
- Turned off for Skype for Business Online by default.
Configuring Exchange Online for Modern Authentication
- Connect to Exchange Online using PowerShell
- Check the modern authentication status (figure 1).
Get-OrganizationConfig | select *OAuth*
- To enable, run below command (figure 2).
- To verify if it was successful, run the command in step 2. If you see a screen similar to below, you’ve been success (figure 3).
Configuring Skype for Business Online for Modern Authentication
- Connect to Skype for Business Online using PowerShell.
- Check the modern authentication status (figure 4).
Get-CsOAuthConfiguration | select *Adal*
- To enable, run below command (figure 5).
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
- To verify if it was successful, run the command in step 2. If you see a screen similar to below, you’ve been success (figure 6).
Once you enable modern authentication support in Office 365 services and in client apps (Office 2013), the requirement for app passwords is eliminated. MFA enabled users will get an experience similar to below screenshots that were taken while configuring an email account in Microsoft Outlook and when the client was launched (figure 7 – 10).
1To read how to enable MFA, read my post about Multi-Factor Authentication in Office 365.