Skip to main content

Modern Authentication in Office 365 is a combination of authentication and authorization methods. It’s more secure than the Basic Authentication method, which relied only on a username and password.

As we all know by now, usernames and passwords get easily stolen. Phishing emails for example are an effective way for criminals to get the users’ credentials. This makes your tenant really vulnerable to attacks. Especially in combination with legacy protocols, like SMTP and IMAP.

Modern Authentication is enabled by default in Office 365 for tenants created after Aug 2017. But still, a lot of existing tenants are using basic authentication and/or the old protocols. Starting in June 2021, Microsoft will start with disabling the Basic Authentication method for the tenants who don’t use it.

So now is a really good time to take a closer look at Modern Authentication and how you can enable it in your Office 365 tenant.

Basic Authentication vs Modern Authentication

Basic Authentication is the old way of logging in with only a username and password. With basic authentication, each app or add-in that needs to authenticate against Office 365 will pass the credentials of the user with each request.

This means that the app has stored the credentials of the user somewhere in the application’s storage, making it vulnerable to attackers. Another problem with basic authentication is that you can’t define the permission scope for the application. So each app can have access to all the data of the user.

Modern Authentication

Modern Authentication on the other hand is based on ADAL (Active Directory Authentication Library) and OAuth 2.0. An application doesn’t store the credentials of the users, but authentication is done with tokens.

After a user logs in with their account, a token is given back to the application. The token has a limited lifetime after which it will become invalid. Another advantage of the token is that we can define a permission scope. So we can give app-only access to the mailbox of the user, but not the OneDrive for example.

Another really important advantage of modern authentication in Office 365 is that we can use Multi-Factor Authentication, also known as MFA. With MFA the user needs to log in with something he knows (username and password) and something he has, a one-time token on the mobile phone.

Enable Modern Authentication Office 365

There are a couple of steps when it comes to enabling modern authentication in Office 365. The first step is to enable Modern Authentication, but after we have enabled it we will need to phase out the basic authentication methods.

  1. Open the Microsoft 365 Admin Center
  2. Expand Settings and click on Org Settings
  3. Select Modern authentication
  4. Turn on modern authentication for Outlook 2013 for Windows and later
  5. Click on Save

Disabling the Basic Authentication Protocols

The next step in the process is to disable the basic authentication protocols. Now you can’t just turn them all off, because most users and probably also some business applications are using them. So the first step is to find out which users and applications that are.

  1. Login to portal.azure.com
  2. Open the Azure Active Directory
  3. Click on Sign-Ins
  4. Change the date range to the last 7 days
  5. Click on Add filters
  6. Choose Client App
  7. Click again on the filter (now labeled client app)
  8. Thick all Legacy Authentication Clients
  9. Click on Apply

This will list all sign-in events from the last 7 days with the user and application that is used. You can use the list to migrate the applications to the modern authentication protocol. Most sign-in events will probably from native email clients on mobile phones.

The easiest option is to switch to the Outlook App on Android and Apple devices. It’s possible to use Apple Mail, but your users will have to remove the account first and then re-add it again to switch over to modern authentication.

You can read more about turning off the basic authentication protocols in this article, where I also have included a couple of PowerShell scripts.

If you have migrated all applications then you can turn off the basic authentication protocols. You can do this in the Microsoft 365 Admin Center:

  1. Expand Settings and click on Org Settings
  2. Click on Modern Authentication
  3. Turn off all basic authentication protocols.
  4. Click Save.

Outlook Modern Authentication

To use Modern Authentication with older versions of Outlook you may need to change some settings on the client-side. New versions of Outlook, 2019 and Outlook for Microsoft 365 do support it out of the box.

What you need to configure depends on the Outlook version that you are using:

Modern Auth SupportedEnableADAL reg key requiredForce Modern Auth requiredMAPI/HTTP required
Outlook 2010No
Outlook 2013YesYesYesYes
Outlook 2016YesNoYesYes

Outlook 2010 doesn’t not support Modern Authentication. Your only option is to upgrade Outlook.

Outlook 2013 Modern Authentication

If your organization is using Outlook 2013, then you will have to enable Modern Authentication manually. Outlook 2013 will keep using the basic authentication method by default. But we can force it to use Modern Authentication by setting a couple of registry keys on the clients.

1.  # Change EnableADAL to 1
2.  HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL
3.  
4.  # Change Version to 1
5.  HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version

Outlook will now try to use modern authentication first, but if you want to force, so it won’t fallback to basic authentication then you will have change the following key to 1 as well:

1. HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover

If the keys don’t exists then you can simply create them. They are all DWORD values.

Outlook 2016 Modern Authentication

Modern Authentication is enable by default in Outlook 2016. But Microsoft recommends to force Outlook to use Modern Authentication.

We can do this by setting the following registery key to 1:

1. HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover

Skype for Business Modern Authentication

If you are still using Skype for Business then you will need to enable Modern Authencation for Skype as well. Just like with Outlook we can set a couple of registry keys to enable it:

1.  # Change AllowAdalForNonLyncIndependentOfLync to 1
2.  HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Lync\ AllowAdalForNonLyncIndependentOfLync
3.
4.  HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync\ AllowAdalForNonLyncIndependentOfLync

Wrapping Up

Using Modern Authentication in Office 365 is really important to protect your data. Without it, attackers can easily compromise your tenant after a successful phishing attempt. Microsoft is starting with disabling legacy protocols on tenants that they don’t use.

But to protect your tenant I really recommend starting with modern authentication as soon as possible. Also, make sure you follow this best practice guide to secure your Office 365 tenant.

If you have any question, just drop a comment below.