Enabling Modern Authentication on Office 365
Office 365 is coming up with the different features and functionality. And even in today’s date security has been major concern for all the users in Office 365. When users are Migrated to Office 365 or been created on the office 365 cloud, they do experience with the multiple login whenever they try to access the desktop application, which is causing issue with the Single Sign On (SSO). Unless the user saves the credentials on the cache, it gets appear every time. So over here we will talk about the Modern Authentication and how we can work on Enabling Modern Authentication on Office 365.
What is Modern Authentication?
Modern Authentication is about bringing Active Directory Authentication Library (ADAL) – based sign-in to office client apps across the platform of office 365. This Enables sign-in features such as Multifactor Authentication (MFA), SAML-based third party identity providers with office client applications, smart card and certificate-based authentication, and it removes the need for Outlook and Skype for Business to use the basic authentication protocol. The Chart below shows the availability of Modern Authentication across office apps:
Office client application | Windows | Mac OS X | Windows Phone | iOS | Android |
Office clients | Available now for Office 2013 and Office 2016. | Office 2016 Mac Preview supports ADAL including Word, Excel, PowerPoint and OneNote. OneNote was released with ADAL in 2014. | Available now. | Word, Excel and PowerPoint are available now. | For Android phones: Word, Excel and PowerPoint are available now. For Android tablets: Word, Excel and PowerPoint are coming soon. |
Skype for Business (formerly Lync) | Included in Office client. | In Preview. | Coming soon. | Available now*. | Available now*. |
Outlook | Included in Office client. | Available now. | Coming soon. | Available now. | Available now. |
OneDrive for Business | Included in Office client. | OneDrive for Business Sync is TBD. | Available now for Windows Phone 8.1. | OneDrive for Business is available now. | OneDrive for Business is available now. |
Legacy clients | There are no plans for Office 2010 or Office 2007 to support ADAL-based authentication. | There are no plans for Office for Mac 2011 to support ADAL-based authentication. | There are no plans for Office on Windows Phone 7 to support ADAL-based authentication. | There are no plans to enable older Outlook iOS clients. | There are no plans to enable older Outlook Android clients. |
By default, your Exchange and Skype for Business Online tenants are not enabled for Modern Authentication. You must manually enable it via PowerShell. Modern Authentication support is also not enabled in Office 2013 by default either. You must ensure that the March 2015 update patch is installed prior to enabling this in your tenant. All versions of Office 2016, however, have Modern Authentication support enabled by default, and require no further action once enabled on the Exchange Online and Skype for Business Online tenants.
Benefits
The first benefit is new and existing users will no longer need to enter credentials into Office to connect to Office 365. Modern Authentication will use the OATH2 to authenticate to ADFS (via the addition of ADFS into the trusted local intranet sites) on the client’s behalf and will SSO the user.
This benefit is great for those of you out there who use non-persistent VDI deployments with RDS, Citrix, and VMware. Meaning you can now deploy Volume Licensed copies of Office 2013/2016 or Click-2-Run copies of Office 365 to your VM’s and allow mail profile setups without users having to enter in any credentials.
Another great benefit of this feature is available for IOS and Android devices, which means corporate enrolled devices can have clients such as Skype for Business and Outlook deployed to them, and can be configured to do SSO, SAML, and MFA via Modern Authentication as well.
This is also big news for those who are planning to migrate to Office 365 in the future, as it will now allow you to migrate mailboxes seamlessly, without having to let the end-user know that they may have to enter in credentials once their migration is complete.
Limitations:
Modern Authentication works only with the clients with below versions:
- Outlook 2013 or later (note outlook 2013 requires a registry key change)
- Outlook 2016 for Mac or later
- Outlook for iOS and Android
- Mail for iOS 11.3.1 or later
Enabling Modern Authentication for Exchange Online
To enable the Modern Authentication for Exchange online, we need to run the below cmdlet.
$Cred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication Basic -AllowRedirection Import-PSSession $Session Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Enabling Modern Authentication for Skype for Business Online
To enable the Modern Authentication for Skype for Business online, we need to run the below cmdlet.
$Cred = Get-Credential $session = New-CsOnlineSession -Credential $cred -Verbose -OverrideAdminDomain pdhewaju.com.np Import-PSSession $Session Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
Desktop configuration for Office 2013 application
There are lot of organizations, they are still running the office desktop below 2013. For those organization who is using office Desktop below 2013 is worthless. For any users who is using Office Desktop 2016 or higher, they don’t need to perform any action. But for the users how is using office 2013 Desktop application, they need to make below changes on their registry.
Key | Value | Type | Data |
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity | EnableADAL | REG_DWORD | 1 |
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity | Version | REG_DWORD | 1 |
With the following above steps, you can enable the Modern authentication on your organization and get facilitated with MFA and other Oath.