This is part two of a two part series on Modern Authentication and the Modern Authentication Protocol. Part one explained what Modern Authentication is and why organizations would or would not want to implement it. You can read part one here.
How the Modern Authentication Protocol Works
Once Modern Authentication is enabled a user will authenticate with one of the Office 365 services and they will be issued both an Access Token and a Refresh Token. The Access Token is a short-lived token, valid for about 1 hour’s time. The Refresh Token is longer-lived and can by valid for up to 90 days in some cases. These longer cases include frequent use and when the user’s password has not changed. The Access Token is what is used to gain access to the Office 365 services, and when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to use with the service. The default lifetime for a Refresh Token is 14 days. Features such as Conditional Access Policies may force users to sign-in again even though the Refresh Token is still valid.
How to use Modern Authentication
Client supportability
Modern Authentication is automatically on for Office 2016 client apps.
To enable modern authentication for any devices running Windows (for example on laptops and tablets) that have Microsoft Office 2013 installed, you need to set the following registry keys. The keys have to be set on each device that you want to enable for modern authentication:
| REGISTRY KEY | TYPE | VALUE |
| HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL | REG_DWORD | 1 |
| HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version | REG_DWORD | 1 |
These can be changed manually or through a Group Policy object.
Office 2013 must be build 15.0.4605.1003 or higher (March 2015 PU)
Other Operating Systems
Modern authentication uses OAuth 2.0 standards and is supported on multiple platforms, including OSX, iOS, Android, and Windows.
Client supportability matrix: https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/
Must be using MAPI / HTTP
We need to validate that every client is using MAPI over HTTP as this is a requirement for Modern Authentication.
The support article KB2937684 gives you some more info around ensuring MAPI-HTTP is enabled for your Office 2013/2016 client.
Office 365 services
Exchange Online is off by default.
- Connect to Exchange Online PowerShell as shown here.
- Run the following command in Exchange Online PowerShell:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
- To verify that the change was successful, run the following command in Exchange Online PowerShell:
Get-OrganizationConfig
Format-Table -Auto Name,OAuth*
SharePoint Online is on by default.
Skype for Business Online is off by default.
- Connect to Skype for Business Online using remote PowerShell: https://aka.ms/SkypePowerShell
- Run the following command:
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
- Verify that the change was successful by running the following:
Get-CsOAuthConfiguration
How Modern Authentication Works for Office 2016 / 2013
Office 2016 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.
Office 2013 client apps support legacy authentication by default. Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication. For these clients to use modern authentication features, the Windows client must have registry keys set. (See notes above)
Exchange Online
| Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant | Authentication behavior with modern authentication turned off for the tenant (default) |
| Office 2016 | No, or EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
| Office 2016 | Yes, EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
| Office 2016 | Yes, EnableADAL=0 | No | Basic authentication | Basic authentication |
| Office 2013 | No | No | Basic authentication | Basic authentication |
| Office 2013 | Yes, EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
SharePoint Online
| Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant (default) | Authentication behavior with modern authentication turned off for the tenant |
| Office 2016 | No, or EnableADAL = 1 | Yes | Modern authentication only. | Failure to connect. |
| Office 2016 | Yes, EnableADAL = 1 | Yes | Modern authentication only. | Failure to connect. |
| Office 2016 | Yes, EnableADAL = 0 | No | Microsoft Online Sign-in Assistant only. | Microsoft Online Sign-in Assistant only. |
| Office 2013 | No | No | Microsoft Online Sign-in Assistant only. | Microsoft Online Sign-in Assistant only. |
| Office 2013 | Yes, EnableADAL = 1 | Yes | Modern authentication only. | Failure to connect. |
Skype for Business Online
| Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant | Authentication behavior with modern authentication turned off for the tenant (default) |
| Office 2016 | No, or EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
| Office 2016 | Yes, EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
| Office 2016 | Yes, EnableADAL = 0 | No | Microsoft Online Sign-in Assistant only. | Microsoft Online Sign-in Assistant only. |
| Office 2013 | No | No | Microsoft Online Sign-in Assistant only. | Microsoft Online Sign-in Assistant only. |
| Office 2013 | Yes, EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. | Microsoft Online Sign-in Assistant only. |
Additional Notes
ADFS
With modern authentication, all clients will use Passive Flows (WS-Federation), and will appear to be browser traffic to AD FS.
ADFS client access filtering policies
Once Modern Authentication has been enabled, any client access filtering policies will need to be changed as follows:
| Current client access filtering policy | After enabling modern authentication | Action needed | |
| 1 | Block all external access to Office 365 | Continue to rely on existing ADFS policies (client traffic now comes in on WS-Federation endpoint) | None |
| 2 | Block all external access to Office 365 except Exchange ActiveSync | Continue to rely on existing ADFS policies (client traffic now comes in on WS-Federation endpoint) | None |
| 3 | Block all external access to Office 365 except Browser-based apps | Implement conditional policies in Office 365/Azure AD to block “Rich Client” traffic (allow on ADFS). | This scenario is not yet supported for public preview and we recommend organizations that rely on this scenario to not onboard their tenants for modern authentication. |
If you missed part one of our two-part series, make sure you check it out here. If you’re wondering how Modern Authentication might impact your users or apply in your environment, give us a call at 630.832.0075 or send an email to info@peters.com. We’d be happy to help.
