Office 365 - Enabling Services, Users, and Connecting via Modern Authentication (ADAL)

Defaults

The Office 365 tenant/resource host (Exchange Online, SharePoint Online and Skype for Business Online) will need to be configured to accept a modern authentication connection. Microsoft recommend Exchange Online be enabled for modern authentication when enabling modern authentication for Skype for Business.

Here is the per service state of modern authentication by default for tenants created before August 1, 2017:

Skype for Business Online - OFF by default.
Exchange Online - OFF by default.
SharePoint Online - ON by default.

Note: As of August 1, 2017, for all newly created Office 365 tenants, use of modern authentication is now ON by default for Exchange Online and Skype for Business Online.

Because Skype for Business clients connect to both Skype for Business Online and Exchange Online, tenant level modern authentication settings should match for Exchange Online and Skype for Business Online.


Enable or Disable Modern Authentication 

The Office 365 tenant/resource host (Exchange Online, SharePoint Online and Skype for Business Online) will need to be configured to accept a modern authentication connections

Skype for Business Online: Enable your tenant for modern authentication


Set-CsOAuthConfiguration -ClientAdalAuthOverride NoOverride


Exchange Online: Enable your tenant for modern authentication

Run this command to enable modern authentication in Exchange Online:

 Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Run this command to disable modern authentication in Exchange Online:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $false

To verify that the change was successful, run this command:

Get-OrganizationConfig | Format-Table -Auto Name,OAuth*

Connect to Office 365 services with multi-factor authentication (MFA) and PowerShell


All of this information and links are detailed on Joe Davis TechNet post - https://goo.gl/HcJGeS


To connect to Office 365 services with MFA and PowerShell:

Client Considerations

Office 2010 does not support ADAL. For Office 2013 client apps, we need to have registry keys set up on end user operating system to enable support for modern authentication.To enable modern authentication support for Windows workstation running Office 2013 client apps, following registry keys are required.

Registry Key
Type
Value
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL
REG_DWORD
1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version
REG_DWORD
1
To disable Modern Authentication on devices for Office 2013, set the HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL registry key to a value of 0. Be aware that a similiar Registry key ( HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL) can also be used to disable Modern Authentication on devices for Office 2016.

How modern authentication works for Office 2013 and Office 2016 client apps - https://support.office.com/en-gb/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517

Some client versions don't support OAuth. You can check your version of Office client in Control Panel where you Add and Remove programs in order to compare your version number to the versions (or ranges of versions) listed here:


  • Office Client 15.0.[0000-4766].*
  • Office Client 16.0.[0000-4293].*
  • Office Client 16.0.6001.[0000-1032]
  • Office Client 16.0.[6000-6224].*

Enable MFA for Users

Comments