This is part two of a two part series on Modern Authentication and the Modern Authentication Protocol. Part one explained what Modern Authentication is and why organizations would or would not want to implement it. You can read part one here.

How the Modern Authentication Protocol Works

Once Modern Authentication is enabled a user will authenticate with one of the Office 365 services and they will be issued both an Access Token and a Refresh Token.  The Access Token is a short-lived token, valid for about 1 hour’s time.  The Refresh Token is longer-lived and can by valid for up to 90 days in some cases.  These longer cases include frequent use and when the user’s password has not changed.  The Access Token is what is used to gain access to the Office 365 services, and when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to use with the service.  The default lifetime for a Refresh Token is 14 days.  Features such as Conditional Access Policies may force users to sign-in again even though the Refresh Token is still valid.

How to use Modern Authentication

Client supportability

Modern Authentication is automatically on for Office 2016 client apps.

To enable modern authentication for any devices running Windows (for example on laptops and tablets) that have Microsoft Office 2013 installed, you need to set the following registry keys. The keys have to be set on each device that you want to enable for modern authentication:

REGISTRY KEYTYPEVALUE
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADALREG_DWORD1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\VersionREG_DWORD1

These can be changed manually or through a Group Policy object.

Office 2013 must be build 15.0.4605.1003 or higher (March 2015 PU)

Other Operating Systems

Modern authentication uses OAuth 2.0 standards and is supported on multiple platforms, including OSX, iOS, Android, and Windows.

Client supportability matrix: https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/

Must be using MAPI / HTTP

We need to validate that every client is using MAPI over HTTP as this is a requirement for Modern Authentication.

The support article KB2937684 gives you some more info around ensuring MAPI-HTTP is enabled for your Office 2013/2016 client.

Office 365 services

Exchange Online is off by default.

  1. Connect to Exchange Online PowerShell as shown here.
  2. Run the following command in Exchange Online PowerShell:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

  1. To verify that the change was successful, run the following command in Exchange Online PowerShell:

Get-OrganizationConfig

Format-Table -Auto Name,OAuth*

SharePoint Online is on by default.

Skype for Business Online is off by default.

  1. Connect to Skype for Business Online using remote PowerShell: https://aka.ms/SkypePowerShell 
  2. Run the following command:

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

  1. Verify that the change was successful by running the following:

Get-CsOAuthConfiguration

How Modern Authentication Works for Office 2016 / 2013

Office 2016 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.

Office 2013 client apps support legacy authentication by default. Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication. For these clients to use modern authentication features, the Windows client must have registry keys set. (See notes above)

Exchange Online

Office client app versionRegistry key present?Modern authentication on?Authentication behavior with modern authentication turned on for the tenantAuthentication behavior with modern authentication turned off for the tenant (default)
Office 2016No, or EnableADAL = 1YesModern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.
Office 2016Yes, EnableADAL = 1YesModern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.
Office 2016Yes, EnableADAL=0NoBasic authenticationBasic authentication
Office 2013NoNoBasic authenticationBasic authentication
Office 2013Yes, EnableADAL = 1YesModern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.

Source: https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517#bk_echangeonline

SharePoint Online

Office client app versionRegistry key present?Modern authentication on?Authentication behavior with modern authentication turned on for the tenant (default)Authentication behavior with modern authentication turned off for the tenant
Office 2016No, or EnableADAL = 1YesModern authentication only.Failure to connect.
Office 2016Yes, EnableADAL = 1YesModern authentication only.Failure to connect.
Office 2016Yes, EnableADAL = 0NoMicrosoft Online Sign-in Assistant only.Microsoft Online Sign-in Assistant only.
Office 2013NoNoMicrosoft Online Sign-in Assistant only.Microsoft Online Sign-in Assistant only.
Office 2013Yes, EnableADAL = 1YesModern authentication only.Failure to connect.

Source: https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517#bk_sharepointonline

Skype for Business Online

Office client app versionRegistry key present?Modern authentication on?Authentication behavior with modern authentication turned on for the tenantAuthentication behavior with modern authentication turned off for the tenant (default)
Office 2016No, or EnableADAL = 1YesModern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.
Office 2016Yes, EnableADAL = 1YesModern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.
Office 2016Yes, EnableADAL = 0NoMicrosoft Online Sign-in Assistant only.Microsoft Online Sign-in Assistant only.
Office 2013NoNoMicrosoft Online Sign-in Assistant only.Microsoft Online Sign-in Assistant only.
Office 2013Yes, EnableADAL = 1YesModern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.Microsoft Online Sign-in Assistant only.

Source: https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517#bk_sfbo

Additional Notes

ADFS

With modern authentication, all clients will use Passive Flows (WS-Federation), and will appear to be browser traffic to AD FS.

ADFS client access filtering policies

Once Modern Authentication has been enabled, any client access filtering policies will need to be changed as follows:

Current client access filtering policyAfter enabling  modern authenticationAction needed
1Block all external access to Office 365Continue to rely on existing ADFS policies (client traffic now comes in on WS-Federation endpoint)None
2Block all external access to Office 365 except Exchange ActiveSyncContinue to rely on existing ADFS policies (client traffic now comes in on WS-Federation endpoint)None
3Block all external access to Office 365 except Browser-based appsImplement conditional policies in Office 365/Azure AD to block “Rich Client” traffic (allow on ADFS).This scenario is not yet supported for public preview and we recommend organizations that rely on this scenario to not onboard their tenants for modern authentication.

Source:  https://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx

If you missed part one of our two-part series, make sure you check it out here. If you’re wondering how Modern Authentication might impact your users or apply in your environment, give us a call at 630.832.0075 or send an email to info@peters.com. We’d be happy to help.