Configuring Office 365 Modern Authentication
Modern authentication in Office 365 leverage Active Directory Authentication Library (ADAL)-based sign-in to Office client apps. Modern Authentication allows administrators to enable features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.
Why we need Modern Authentication?
Office 365 Multi-Factor Authentication (MFA) enables you to configure additional layer of security for user sign-in process to ensure data protection and minimize the security risk. Users who are enabled for multi-factor authentication are required to configure App Password in order to use Office desktop applications, including Outlook, Skype for Business, Word, Excel, PowerPoint and OneDrive for Business. An App Password is a 16-character randomly generated password that can be used with an Office client application as a way of increasing security in lieu of the second authentication factor. App passwords are randomly generated and its hard for end users to memorize these passwords. Modern Authentication in Office 365 help desktop applications to user ADAL based authentication and eliminate the need to memorize app password.
Modern Authentication requires minimum of Office 2013 client (15.0.4753.1001) installed on workstations
By default, Office 2016 client apps are enabled for modern authentication and do not require any additional configuration on client side. For Office 2013 client apps, we need to have a registry keys set up on end user operating system to enable support for modern authentication.To enable modern authentication support for Windows workstation running Office 2013 client apps, following registry keys are required.
Configuring Modern Authentication for Office Apps
Modern authentication in Office 365 is enabled per user basis for workloads in Office 365. By default, modern authentication is enabled for SharePoint online and you do not have to configure anything in SharePoint online to enable modern authentication.
Configuring Exchange Online for Modern Authentication
Follow the steps to configure Exchange online for Modern authentication in Office 365.
- Connect Exchange Online using PowerShell
- Run the following cmdlet to verify the Modern Authentication status
Get-OrganizationConfig | ft OAuth*
- To enable the modern authentication for Exchange online, run the following cmdlet
Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
- To verify that the Modern Authentication is enabled for Exchange online, Re-run the Get-OrganizationConfig cmdlet
Configuring Skype for Business Online for Modern Authentication
Follow the steps to configure Modern Authentication for Skype for Business online in Office 365.
- Connect with Skype for Business online using PowerShell
- Run the cmdlet to check the status of Modern Authentication status for Skype for Business online
- To enable modern authentication for Skype for Business online, run the following cmdlet
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
Once the Modern authentication is enabled for Office 365 workloads and client side is updated as well with registry key for Office 2013 clients, app password requirement will be eliminated. MFA enabled users will get the same experience during the authentication process that other user have who do not have MFA enabled on their account.