Enable Office 365 Modern Authentication

By | October 27, 2016

If you have an Office 365 subscription, you can enable Multi-Factor Authentication (MFA)1 for end users which will add an additional layer of security. Enabling MFA makes client apps to require an app password to authenticate to Office 365 services. App passwords are randomly generated, long strings, that are not easy to remember. Therefore it won’t be convenient for end users to memorize these passwords. That’s when Office 365 modern authentication comes in to help.

Office 365 modern authentication helps Office clients to use Active Directory Authentication Library (ADAL) based authentication across platforms. This enables client apps to use features such as MFA, SAML-based third party identity providers, smart cards and certificate based authentication. Once enabled, this removes the need for Outlook to use basic authentication protocol.

In this post I will discuss how you can enable modern authentication support for your Office 2013 client apps and enable it for your Office 365 services.

Configuring Client Apps for Modern Authentication

Office 2016 client apps are by default enabled for modern authentication and therefore no additional configuration on client apps or the OS is required. Office 2013 client apps on the other hand, require a registry keys set in the OS to enable modern authentication support. To enable modern authentication support for Office 2013 client apps, set following registry keys on every computer that has Office 2013 client apps installed.

Registry key Type Value
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1

Configuring Office 365 Services for Modern Authentication

For the Office 365 services, the default state of modern authentication is:

  • Turned off for Exchange Online by default.
  • Turned on for SharePoint Online by default.
  • Turned off for Skype for Business Online by default.

Configuring Exchange Online for Modern Authentication

  1. Connect to Exchange Online using PowerShell
  2. Check the modern authentication status (figure 1).
    Get-OrganizationConfig | select *OAuth*

    Modern Authentication Get-OrganizationConfig

    Figure 1

  3. To enable, run below command (figure 2).
    Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

    Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

    Figure 2

  4. To verify if it was successful, run the command in step 2. If you  see a screen similar to below, you’ve been success (figure 3).

    Get-OrganizationConfig | select *OAuth*

    Figure 3

Configuring Skype for Business Online for Modern Authentication

  1. Connect to Skype for Business Online using PowerShell.
  2. Check the modern authentication status (figure 4).
    Get-CsOAuthConfiguration | select *Adal*

    Get-CsOAuthConfiguration | select *Adal*

    Figure 4

  3. To enable, run below command (figure 5).
    Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

    Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

    Figure 5

  4. To verify if it was successful, run the command in step 2. If you see a screen similar to below, you’ve been success (figure 6).

    Get-CsOAuthConfiguration | select *Adal*

    Figure 6

Client Experience

Once you enable modern authentication support in Office 365 services and in client apps (Office 2013), the requirement for app passwords is eliminated. MFA enabled users will get an experience similar to below screenshots that were taken while configuring an email account in Microsoft Outlook and when the client was launched (figure 7 – 10).

Email Account Configuration - Modern Authentication

Figure 7

Email Account Configuration - MFA with Modern Authentication

Figure 8: Email Account Configuration – MFA with Modern Authentication

Microsoft Outlook client launch - Modern Authentication

Figure 9: Microsoft Outlook client launch – Modern Authentication

Microsoft Outlook client launch - MFA with Modern Authentication

Figure 10: Microsoft Outlook client launch – MFA with Modern Authentication

1To read how to enable MFA, read my post about Multi-Factor Authentication in Office 365.

4 thoughts on “Enable Office 365 Modern Authentication

  1. Taha Haider

    Thanks – helpful.

    My client would like user to have MFA every time a user launch outlook when using home PC out side company network. It does ask for MFA 1st time user set outlook client but it cache user password and dont ask again, any suggestion please?

    Reply
    1. Muditha Jayath Chathuranga Post author

      Hi Taha,

      You’re welcome and I’m glad this helped you.

      Unfortunately the way modern authentication works is not capable of doing that at the moment. Further reading on Office 365 timeouts is available on Session timeouts for Office 365. However, if you are comfortable playing with stuff that are still in preview stages, there’s a way to achieve what you look for. Have a look at Configurable token lifetimes in #AzureAD are now Public Preview!.

      Thank you.

      Reply
  2. Okorosi Peter

    Hello,

    Thank you for your post.
    Am actually trying to implement the modern authenticatin on O365 SFB.
    I hope the users login wont the accept.
    Kindly update me.

    Regards

    Reply
    1. Muditha Jayath Chathuranga Post author

      Hi Okorosi,

      I’m happy that you are going to implement modern authentication. But I’m not clear on what won’t accept in users login. Can you please elaborate it more?

      Thank you.

      Reply

Leave a Reply