Office 365

Updated Office 365 modern authentication

Share on Facebook Share on Twitter Share on Linkedin Share via OneNote Share via Email Print

Editor’s note 05/18/2016:
This post was updated to reflect that modern authentication has moved from public preview to general availability.

Editor’s note 04/18/2016:
The chart was updated to show the availability of modern authentication for Outlook on Mac OS X.

Editor’s note 12/17/2015:
The chart was updated to show the availability of modern authentication for iOS and Android.

Today’s post was written by Paul Andrew, technical product manager for Identity Management on the Office 365 team.

We’re constantly expanding the range of Office 365 products and services that support Modern Authentication. As we continue to enable enhanced identity scenarios, you can keep track of our progress below. Here’s a summary of the updates:

  • Modern authentication in the Office 2013 Windows client and in the Office 2016 Windows client are complete and at GA.
  • All users of Office 365 modern authentication can now get production support through regular Microsoft support channels.
  • Use of Office 365 modern authentication is now on by default for Office 2016.
  • An updated table of client software compatibility is now available.

What is modern authentication?

Modern authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol. The chart below shows the availability of modern authentication across Office applications.

Office client application Windows Mac OS X Windows Phone iOS Android
Office clients Available now for Office 2013 and Office 2016. Available now for Office 2016.

Also available for OneNote 2014.

Available now. Word, Excel and PowerPoint are available now for both phones and tablets. Word, Excel and PowerPoint are available now for both phones and tablets.
Skype for Business (formerly Lync) Included in Office client. Available now. Available now.

CBA and other modern features not yet supported.

Available now*. Available now*.
Outlook Included in Office client. Available now. Coming soon. Available now. Available now.
OneDrive for Business Included in Office client. Available now. Available now for Windows Phone 8.1. OneDrive for Business is available now. OneDrive for Business is available now.
Legacy clients There are no plans for Office 2010 or Office 2007 to support ADAL-based authentication. There are no plans for Office for Mac 2011 to support ADAL-based authentication. There are no plans for Office on Windows Phone 7 to support ADAL-based authentication. There are no plans to enable older Outlook iOS clients. There are no plans to enable older Outlook Android clients.

*Not recommended for split domain configuration that includes both Skype for Business Online and Skype for Business Server.

Getting started with modern authentication

To use Office 365 modern authentication follow these steps:

  1. If you are using Active Directory Federation Services (ADFS), then first review the caveats with modern authentication published here.
  2. Use PowerShell to enable your Exchange Online service for modern authentication as described here and Skype for Business Online as described here. SharePoint Online is already enabled.
  3. Enable any Office 2013 users to use modern authentication as described here. Office 2016 and most other Office client software is already enabled as shown in the table below. Details about setting up Office clients is described here.

Also note that to use modern authentication with Office 2013 you will need the March 2015 update patch described here.

For Office 365 administrators, we have documentation on enabling MFA here.

For Office 365 users, we have documentation on using MFA here.

Frequently asked questions

Q. Is modern authentication enabled by default?

A. In order to support the various methods of authentication chosen by organizations around the world, we have production support for these features but only enable by default in certain circumstances. Modern authentication is enabled by default on Office 2016 clients and other clients as described in the article. We are still working on updates to enable this by default for Exchange Online and Skype for Business Online.

Q. I applied to the preview program; do I need to do anything else to use Office 365 modern authentication?

A. If you applied before November 17, 2015, refer to this article to verify that your tenant was enabled. On or after November 17, 2015, use instructions from the article to enable your tenant.

Q. What if I was previously accepted into the TAP, private preview or public preview for modern authentication?

A. No action is needed from you. You can verify your tenant state for Exchange Online by using the instructions here and Skype for Business Online as described here.

Q. How do Office 2013 and Office 2016 use modern authentication?

A. Read for more details.

Q. Does Office 365 modern authentication require any specific Office 365 SKUs?

A. No. Any Office 365 SKU can use modern authentication.

Q. What is required for to use a third-party identity provider with ADAL-based authentication?

A. The third-party identity provider should be tested and qualified for use with ADAL with the Azure Active Directory federation compatibility list. There is an updated test tool for testing ADAL with identity providers available at Select Install Now towards the bottom of the page. Once the Microsoft Connectivity Analyzer Tool is downloaded and running, select the test called: I can’t set up federation with Office 365, Azure or other services that use Azure Active Directory.

Q. What Office 2013 Windows clients are included in the update?

A. Word 2013, Excel 2013, PowerPoint 2013, Lync 2013, Outlook 2013, Publisher 2013, Visio 2013, Access 2013, Project 2013 and OneDrive for Business Sync Client.

Q. What is ADAL?

A. ADAL is the Active Directory Authentication Library that is used in Office 365 modern authentication. Details about ADAL are available here.

Q. Can I use modern authentication with PowerShell?

A. Azure AD PowerShell has support for modern authentication in public preview as described on the Active Directory Team Blog. SharePoint Online Management Shell has support for modern authentication available from here.

  1. Hi. I am working with enabling Modern auth in O365 for a large customer and they have a large number of Mac users. Is there an update on when ADAL will be available for Outlook on Mac and for mailbox access? //Magnus

  2. Hi – does this mean by chance that I could do cert-based auth with e.g. the outlook app on iOS (against active sync in Exchange Online)? Thanks Emil-

  3. How come that the option to remember devices doesn’t work? (suspend multi-factor authentication for remembered devices PREVIEW)

    I recall reading that the Devs thought it was smart to make that take place when people would click the check box for remember me, but that caused a bunch of confusion & they were going to put the checkbox back on the MFA page (after the ADFS sign in page)

    However still no dice.

    • The Suspend MFA feature is still in preview. Customer admins can configure the Suspend MFA feature to remember their browser/device for X days. Once enabled in the MFA service settings, users will need to check the “Keep me signed in” checkbox that appears on the AAD sign-in page. When the user closes their browser and reopens it to navigate back to their apps, it will remember both their credentials and their MFA. This is done through cookies so requires it to be set on each device/browser.

      This implementation is temporary. We will be moving the Suspend MFA functionality out into its own checkbox. It will appear on the page that displays while MFA is being performed and will say “Don’t ask again for X days”. That will allow users to have their MFA remembered without having their username/password remembered. This change is currently in progress and expected to be available in January.

Comments are closed.