Enabling modern authentication on Office 365

in #office3657 years ago

The first thing that might come to your mind might be that modern authentication is enabled for Office 365. Well that is partly true. It is enabled for SharePoint online, not for Exchange and Skype for Business if your tenant is created before august 1st 2017. While writing this about 95% of the tenants are older then 1 month so modern authentication is not enabled for Exchange and Skype for Business.

What is modern authentication

Modern authentication is basically a browser window where you can authenticate instead of the old username/password dialog. This browser windows allows you to have a certain flow of authentication that is not possible with the old dialog window.
The benefits of the browser window is that you can have thing like multi factor authentication and smart card authentication.

The modern authentication uses the ADAL (Active Directory Authentication Library). Detail can be found here.

Why enable modern authentication

This is a fair question when you are working with older versions of Office because they do not support modern authentication, but when you have an office version that does not support modern authentication, you also almost out of support for the combination of Office client and Office 365.
So the question should be why not enable modern authentication? The answer to this is that modern authentication has a fallback to the classic authentication if the client does not support modern authentication.

What clients support modern authentication

Off course the latest version of Office Pro Plus and Office 2016 support modern authentication out of the box.
Office 2013 does support it, but here you need to add a certain registry key to trigger the modern authentication, otherwise it will use basic authentication.
The full details of the supported clients can be found here and to enable it here

Enable modern authentication Exchange Online

Enabling it for Exchange is very simple, just run the command "Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true" when you are connected to Exchange Online in PowerShell.

To connect to Exchange Online you can follow this manual
To verify that the setting is correct you can use this command "Get-OrganizationConfig | ft name, OAuth"

Enable modern authentication Skype for Business

If you want to enable this for Skype for Business, you also need to enable it for Exchange Online because the Skype for Business client connects to both Exchange and Skype for Business

Enabling it for skype for business takes a bit more effort because you need to install the Skype for Business module that you can download here

After installing it and downloading you can connect to Skype for Business with the following 2 commands

  • $session = New-CsOnlineSession -Credential (Get-Credential)
  • Import-PSSession $session
    When you are connected use "Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed"

To verify that the setting is correct you can use this command "Get-CsOAuthConfiguration | ft clientadal"

Resources

Exchange online: https://social.technet.microsoft.com/wiki/contents/articles/32711.exchange-online-how-to-enable-your-tenant-for-modern-authentication.aspx
Skype for Business: https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx
Connect to Skype for Business: https://technet.microsoft.com/en-us/library/dn362795.aspx