This is part one of a two part series. You can read part two here.
What is Modern Authentication?
Modern Authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.
The Office client will behave exactly as a Web Browser when authenticating. It will send the Access Token requests directly to the authentication provider instead of sending username and password to the resource, and if you are enabled for MFA, you will get the exact same behavior you get when accessing OWA or SharePoint Online.
By enabling Modern Authentication (ADAL) for Office client applications, the Office application uses an in-application browser control to render the Azure AD sign-in experience in the same fashion as browser-based Office 365 clients like Outlook on the Web. ADAL-based OAuth authentication works for federated as well as non-federated scenarios.
With ADAL enabled in the Office client, we no longer rely on using basic authentication for the Outlook client, and because of this we also no longer need to store the credentials of the user on the client device. It also means that Exchange Online no longer needs to send the authentication credentials to Azure AD using proxy authentication (proxy auth), as we now use the WS-Fed passive profiles instead of the WS-Trust Active Profiles.
Why we need Modern Authentication
Office 365 Multi-Factor Authentication (MFA) enables you to configure an additional layer of security for the user sign-in process to ensure data protection and minimize the security risk. Users who are enabled for multi-factor authentication are required to configure the App Password to use Office desktop applications, including Outlook, Skype for Business, Word, Excel, PowerPoint and OneDrive for Business. An App Password is a 16-character randomly generated password that can be used with an Office client application as a way of increasing security in lieu of the second authentication factor. App passwords are randomly generated and it’s hard for end users to memorize these passwords. Modern Authentication in Office 365 helps desktop applications to user ADAL-based authentication and eliminates the need to memorize app passwords.
Why clients would want Modern Authentication
No entering credentials into Microsoft Office
The first benefit that is new and existing users will no longer need to enter credentials into Office 2013 / 2016 to connect to Office 365. This is true for both Password Hash and ADFS clients. Modern Authentication will use the OAuth 2.0 protocol to authenticate to ADFS (via the addition of ADFS into the trusted local intranet sites) on the client’s behalf, and will SSO the user.
Great for Citrix or Remote Desktop clients
For those clients who use non-persistent VDI deployments with RDS, Citrix, and VMware, they can now deploy Volume Licensed copies of Office 2013/2016 or Click-2-Run copies of Office 365 to their VMs and allow mail profile setups without users having to enter in any credentials.
SSO for corporate enrolled devices
Another benefit of Modern Authentication is that it is available for IOS and Android devices. This means that corporate enrolled devices can have clients such as Skype for Business and Outlook deployed to them, and can benefit from features such as Multifactor Authentication.
No credentials after migration
For those who are planning to migrate to Office 365 in the future, Modern Authentication will now allow you to migrate mailboxes seamlessly, without having to let the end-user know that they may have to enter in credentials once their migration is complete.
Modern Authentication now allows clients to use Multifactor Authentication with Office 2013 / 2016 clients without the need for App Passwords. (See note in next section regarding MFA limitations.)
Why not to use Modern Authentication
Credential Prompt every login
For clients who require that their users must enter credentials every time they sign into Outlook, this will not work.
Outlook Multifactor Authentication (MFA) every login
Some clients require that when users sign into Outlook they use a form of Multifactor Authentication each time, for example App Passwords. When Modern Authentication is enabled users will only get prompted for an MFA during the initial profile setup. They will also get prompted for an MFA once their refresh token expires, which could be as much as 90 days.
Third-party identity providers
Not all third-party identity providers are compatible with Modern Authentication. Currently, all providers listed here are qualified by Microsoft for Modern Authentication. https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-compatibility
If you’d like to learn more about how Modern Authentication works, check out part two of this two-part blog series. If you’d like to learn how Modern Authentication might apply in your environment, give us a call at 630.832.0075 or email us at firstname.lastname@example.org.