Thursday 4 August 2016

Configuring Modern Authentication for Exchange Online and Skype for Business Online

Modern Authentication for Office 365 is based on Active Directory Authentication Library (ADAL), which allows Office 2013 (not enabled by default) and Office 2016 (by default) to use modern authentication instead of basic Windows authentication. Modern Authentication provides additional support for SAML & Multi Factor Authentication. Currently with Office 2013, and Outlook if MFA is enabled for a user, App Passwords are required to allow access to the desktop Office applications as they are using Basic authentication.
What are Azure App Passwords?
Modern Authentication in Office 365, which was released from preview in March 2015 removes this constraint. If enabled users no longer have to maintain App Passwords in order to use the Office ProPlus desktop applications.
By default Modern Authentication is enabled for SharePoint Online, Exchange and Skype for Business.  
Modern Authentication (default settings update Nov 2017)
·        Exchange Online - On
·        SharePoint Online - On
·        Skype for Business Online - On
Both Office 2013/2016 support Modern Authentication. Office 2013 does not have it enabled by default, it must be enabled by making a Registry edit.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL = Value 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version = Value 1
In Office 2016 this is enabled by default.
PowerShell Sessions
To successfully run these commands you must first create PowerShell connections to each of the services, for assistance on this review this blog post;
Exchange Online
 Get-OrganizationConfig 


Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true
Skype for Business Online
 Get-CsOAuthConfiguration 

 Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed