Office 365 Modern Authentication: What it is and why you should be using it

October 29, 2016

Office 365. We know what it is. We’ve heard the name and you probably know someone that has migrated from their on-premises Exchange organization to it. And if your company is one of those who has migrated to Office 365, then you are probably aware of the one struggle that everyone who’s ever moved to 365 has had to deal with – saving credentials for Outlook.

Now for those who may be curious about moving to Office 365, you are probably wondering what I’m talking about. To catch you up to speed, when users connect to Office365 via Outlook, they cannot utilize ADFS to do a true Single Sign On (SSO) experience. Instead, Outlook uses the Outlook Anywhere function, and unfortunately, requires the use of Basic Authentication, meaning you must enter in a username and password every time, unless you of course, cache the credentials.

For a long time, most of my clients would ask me “is Microsoft ever going to change this?”, and would state “well this defeats the purpose of utilizing ADFS for true SSO.” And I agree, but now, it seems like Microsoft’s ears were ringing, because the wish of using Outlook with Office 365 and not having to cache credentials has been granted!

But how does this work, and what limitations are there? I’ll explain in this article.

Modern Authentication – What is it?

Modern Authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol. The chart below shows the availability of Modern Authentication across Office apps:

Office client application

Windows

Mac OS X

Windows Phone

iOS

Android

Office clients

Available now for Office 2013 and Office 2016.

Office 2016 Mac Preview supports ADAL including Word, Excel, PowerPoint and OneNote. OneNote was released with ADAL in 2014.

Available now.

Word, Excel and PowerPoint are available now.

For Android phones: Word, Excel and PowerPoint are available now. For Android tablets: Word, Excel and PowerPoint are coming soon.

Skype for Business (formerly Lync)

Included in Office client.

In Preview.

Coming soon.

Available now*.

Available now*.

Outlook

Included in Office client.

Available now.

Coming soon.

Available now.

Available now.

OneDrive for Business

Included in Office client.

OneDrive for Business Sync is TBD.

Available now for Windows Phone 8.1.

OneDrive for Business is available now.

OneDrive for Business is available now.

Legacy clients

There are no plans for Office 2010 or Office 2007 to support ADAL-based authentication.

There are no plans for Office for Mac 2011 to support ADAL-based authentication.

There are no plans for Office on Windows Phone 7 to support ADAL-based authentication.

There are no plans to enable older Outlook iOS clients.

There are no plans to enable older Outlook Android clients.


Now, let me take this time to further break down how Modern Authentication works. The Office client will behave exactly as a Web Browser when authenticating, it will send the Access Token requests directly to the authentication provider instead of sending username and password to the resource, and if you are enabled for MFA, you will get the exact same behavior you get when accessing OWA or SharePoint Online; goodbye pop-ups and App Passwords, hello real SSO and MFA!

By default, your Exchange and Skype for Business Online tenants are not enabled for Modern Authentication. You must manually enable it via PowerShell. Modern Authentication support is also not enabled in Office 2013 by default either. You must ensure that the March 2015 update patch is installed prior to enabling this in your tenant. All versions of Office 2016, however, have Modern Authentication support enabled by default, and require no further action once enabled on the Exchange Online and Skype for Business Online tenants.

So what are my benefits from enabling Modern Authentication?

Right out of the gate, the first benefit is new and existing users will no longer need to enter credentials into Office to connect to Office 365. Modern Authentication will use the OATH2 to authenticate to ADFS (via the addition of ADFS into the trusted local intranet sites) on the client’s behalf, and will SSO the user.

This benefit is great for those of you out there who use non-persistent VDI deployments with RDS, Citrix, and VMware. Meaning you can now deploy Volume Licensed copies of Office 2013/2016 or Click-2-Run copies of Office 365 to your VM’s and allow mail profile setups without users having to enter in any credentials.

Another great benefit of this feature is available for IOS and Android devices, which means corporate enrolled devices can have clients such as Skype for Business and Outlook deployed to them, and can be configured to do SSO, SAML, and MFA via Modern Authentication as well.

This is also big news for those who are planning to migrate to Office 365 in the future, as it will now allow you to migrate mailboxes seamlessly, without having to let the end-user know that they may have to enter in credentials once their migration is complete.

So where are my drawbacks?

Naturally, the first question will be “well does this work for Office suites lower than 2013?”. The answer there will be "no." Microsoft has made it clear that they are  trying to push past Office suites older than 2013, meaning they are not offering up much support for 2010 and lower. If you would like to utilize Modern Authentication, you’ll need to, at a minimum, upgrade to Office 2013.

Sticking with this subject, Office for Mac 2011, Windows Phone 7, and older versions of Android and IOS clients are not supported either.

Another current drawback is that Modern Authentication for PowerShell is still in Public Preview currently. You can enable this for your tenant, however, there will be very limited support. Also, be aware, that Modern Authentication is only supported with ADFS 3.0, which is only available in Windows Server 2012 R2 and Windows Server 2016. ADFS 2.1 (Windows Server 2012) and ADFS 2.0 (Windows Server 2008/2008 R2) are not supported, which means you will have to upgrade to take advantage of this feature. Also, you must have ADFS 3.0 to even use Modern Authentication. If you are just using Password Synchronization or Cloud Identity as your method of authentication to Office 365, you will not be able to leverage Modern Authentication. 

The final drawback can occur only if you plan on using Modern Authentication with third-party identity providers. Currently, all providers listed here are qualified by Microsoft for Modern Authentication. However, if your provider is not on this list, you can download a connectivity test tool from https://testconnectivity.microsoft.com/?tabid=Client and see if Modern Authentication will work. If not, you may not be able to use modern authentication.

Conclusion

In conclusion, this is a huge milestone for Microsoft and Office 365. It’s a solution to an issue that has been around since the days of BPOS and one that could persuade more companies to start looking towards Office 365 as viable solution to cutting back on their on-premises footprint. 

Information and material in our blog posts are provided "as is" with no warranties either expressed or implied. Each post is an individual expression of our Sparkies. Should you identify any such content that is harmful, malicious, sensitive or unnecessary, please contact marketing@sparkhound.com.

Meet Sparkhound

Review our capabilities and services, meet the leadership team, see our valued partnerships, and read about the hardware we've earned.

Learn How We Work

See how our Plan/Build/Run methodology drives real client success, and gain our team's perspectives on timely tech topics.

Engage With Us

Get in touch any of our offices, or checkout our open career positions and consider joining Sparkhound's dynamic team.