Updated Office 365 modern authentication

Editor’s note 08/01/2017:
This post was updated to reflect that modern authentication is now on by default for Exchange Online and Skype for Business Online.

Editor’s note 05/18/2016:
This post was updated to reflect that modern authentication has moved from public preview to general availability.

Editor’s note 04/18/2016:
The chart was updated to show the availability of modern authentication for Outlook on Mac OS X.

Editor’s note 12/17/2015:
The chart was updated to show the availability of modern authentication for iOS and Android.

 

Original post:
Today’s post was written by Paul Andrew, technical product manager for Identity Management on the Office 365 team.

We’re constantly expanding the range of Office 365 products and services that support Modern Authentication. As we continue to enable enhanced identity scenarios, you can keep track of our progress below. Here’s a summary of the updates:

  • Modern authentication in the Office 2013 Windows client and in the Office 2016 Windows client are complete and at GA.
  • All users of Office 365 modern authentication can now get production support through regular Microsoft support channels.
  • Use of Office 365 modern authentication is now on by default for Office 2016.
  • As of August 1, 2017, for all newly created Office 365 tenants, use of modern authentication is now on by default for Exchange Online and Skype for Business Online.
  • An updated table of client software compatibility is now available.

What is modern authentication?

Modern authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol. The chart below shows the availability of modern authentication across Office applications.

Office client application Windows Mac OS X Windows Phone iOS Android
Office clients Available now for Office 2013 and Office 2016. Available now for Office 2016.

Also available for OneNote 2014.

Available now. Word, Excel and PowerPoint are available now for both phones and tablets. Word, Excel and PowerPoint are available now for both phones and tablets.
Skype for Business (formerly Lync) Included in Office client. Available now. Available now.

CBA and other modern features not yet supported.

Available now*. Available now*.
Outlook Included in Office client. Available now. Coming soon. Available now. Available now.
OneDrive for Business Included in Office client. Available now. Available now for Windows Phone 8.1. OneDrive for Business is available now. OneDrive for Business is available now.
Legacy clients There are no plans for Office 2010 or Office 2007 to support ADAL-based authentication. There are no plans for Office for Mac 2011 to support ADAL-based authentication. There are no plans for Office on Windows Phone 7 to support ADAL-based authentication. There are no plans to enable older Outlook iOS clients. There are no plans to enable older Outlook Android clients.

*Not recommended for split domain configuration that includes both Skype for Business Online and Skype for Business Server.

Getting started with modern authentication

To use Office 365 modern authentication follow these steps:

  1. If you are using Active Directory Federation Services (ADFS), then first review the caveats with modern authentication published here.
  2. Use PowerShell to enable your Exchange Online service for modern authentication as described here and Skype for Business Online as described here. SharePoint Online is already enabled.
  3. Enable any Office 2013 users to use modern authentication as described here. Office 2016 and most other Office client software is already enabled as shown in the table below. Details about setting up Office clients is described here.

Also note that to use modern authentication with Office 2013 you will need the March 2015 update patch described here.

For Office 365 administrators, we have documentation on enabling MFA here.

For Office 365 users, we have documentation on using MFA here.

Frequently asked questions

Q. Is modern authentication enabled by default?

A. In order to support the various methods of authentication chosen by organizations around the world, we have production support for these features but only enable by default in certain circumstances. Modern authentication is enabled by default on Office 2016 clients and other clients as described in the article. It is also enabled by default for Exchange Online and Skype for Business Online, for all newly created Office 365 tenants.

Q. I applied to the preview program; do I need to do anything else to use Office 365 modern authentication?

A. If you applied before November 17, 2015, refer to this article to verify that your tenant was enabled. On or after November 17, 2015, use instructions from the article to enable your tenant.

Q. What if I was previously accepted into the TAP, private preview or public preview for modern authentication?

A. No action is needed from you. You can verify your tenant state for Exchange Online by using the instructions here and Skype for Business Online as described here.

Q. How do Office 2013 and Office 2016 use modern authentication?

A. Read aka.ms/ModernAuthClients for more details.

Q. Does Office 365 modern authentication require any specific Office 365 SKUs?

A. No. Any Office 365 SKU can use modern authentication.

Q. What is required for to use a third-party identity provider with ADAL-based authentication?

A. The third-party identity provider should be tested and qualified for use with ADAL with the Azure Active Directory federation compatibility list. There is an updated test tool for testing ADAL with identity providers available at testconnectivity.microsoft.com. Select Install Now towards the bottom of the page. Once the Microsoft Connectivity Analyzer Tool is downloaded and running, select the test called: I can’t set up federation with Office 365, Azure or other services that use Azure Active Directory.

Q. What Office 2013 Windows clients are included in the update?

A. Word 2013, Excel 2013, PowerPoint 2013, Lync 2013, Outlook 2013, Publisher 2013, Visio 2013, Access 2013, Project 2013 and OneDrive for Business Sync Client.

Q. What is ADAL?

A. ADAL is the Active Directory Authentication Library that is used in Office 365 modern authentication. Details about ADAL are available here.

Q. Can I use modern authentication with PowerShell?

A. Azure AD PowerShell has support for modern authentication in public preview as described on the Active Directory Team Blog. SharePoint Online Management Shell has support for modern authentication available from here.