Microsoft is changing the way Outlook users connect to Exchange Servers, moving away from traditional methods,...
such as Windows authentication or storing a plain-text username and password, and moving toward the cloud.
Modern Authentication is a new feature that can benefit organizations that require true single sign-on within the Outlook client or real multifactor authentication. It integrates browser-based authentication into Outlook and other Office clients and allows the client to use Open Authorization-based authentication to Office 365.
Using browser-based authentication within the client has a number of immediate benefits.
- Active Directory Federation Services (AD FS) end users can achieve true single sign-on within Outlook on domain-joined computers.
- Admins can enable multifactor authentication (MFA), and Outlook can prompt end users for a second authentication factor.
- The password is never stored on the Windows PC.
Since Office 365 first became available, it hasn't been possible to avoid end users needing to enter their passwords when configuring Outlook with Exchange Online. Admittedly, this is a minor inconvenience as the password can be stored on the client. Never having to prompt end users for credentials will ease an email migration to Office 365.
Using Modern Authentication with MFA
By definition, MFA expects end users to provide more than one form of verification to prove who they are; this typically includes something they know and something they have. This will often be the password and either a phone, token or certificate.
Office 365 didn't let Outlook clients use true MFA; app passwords -- long passwords generated after end users log in with MFA -- were used instead. App passwords can be reused in a number of clients, so if end users wrote down the app password, someone else in a rich client such as Outlook or ActiveSync could use it.
Modern Authentication finally allows the client to use proper MFA. The experience is similar logging into Outlook Web App via a browser. For example, after an end user signs in, a second page informs the user to confirm login via the mobile app.
How does Modern Authentication work?
Modern Authentication uses the Active Directory Authentication Library (ADAL) within Office to authenticate and store access credentials. The Open Authentication (OAuth) protocol is core to ADAL; this is the same mechanism Facebook, Twitter and Google use for cross-site access without sharing passwords.
There are two pieces of information used -- a refresh token and an access token. The access token is short-lived and is only valid for approximately one hour; the refresh token has a longer life at 14 days by default. The refresh token will request access tokens, and the access token is presented to Office 365.
The client can either use the Office 365 Azure AD login pages, if you use DirSync Password Sync or pure Cloud IDs, or AD FS. Both allow the use of MFA, but only AD FS allows true single sign-on with the logged-on user's credentials.
It's possible to provide two different experiences in an AD FS environment. Internal, domain-joined end users benefit from AD single sign-on; external users prompted for MFA use the same configuration used to secure browser-based access to Office 365.
Figure 1 gives a good example of the login flow.
Enabling and disabling Modern Authentication
Admins must manually enable Modern Authentication. To do so, ensure you have the following software prerequisites:
- Office 2013 cumulative update for November 2014, which is automatically included with the latest Click-To-Run installer and Office 2016 Preview; and
- MS14-052: cumulative security update for Internet Explorer.
Make the following registry changes and restart the Outlook Client:
If you're using the Office 2016 preview, simply change the 15.0 in the path above for 16.0.
When launching Outlook from a domain-joined machine that uses AD FS for authentication to Office 365, end users shouldn't see a prompt; they should simply access Office 365 without further credential prompts.
From a non-domain-joined computer, a login should be presented once for Outlook and a second time for other Office apps (Figure 2).
There are some limitations to using Modern Authentication at this time. Office 365 tenants enabled for Modern Authentication can't mix with tenants that aren't enabled for Modern Authentication within a single Outlook profile. If you aren't sure if both tenants are enabled, simply run the client feature and launch Outlook. Features such as Rights Management Services aren't available using Modern Authentication; the Office blog covers these limitations in more detail.
If you want to switch back to standard Office 365 authentication, you will need to change registry settings. The key changes to disable Modern Authentication are as follows:
Again, if you use the Office 2016 preview, simply change 15.0 for 16.0.
About the author:
Steve Goodman is an Exchange MVP and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners. Goodman has worked extensively with Microsoft Exchange since version 5.5 and with Office 365 since its origins in Exchange Labs and Live@EDU.
Use PowerShell to configure Office 365 authentication
Outlook and OWA authentication