Azure AD Connect Synchronization Service Manager shows the status completed-export-errors. However, when we want to…
Enable modern authentication in Microsoft 365
Enable modern authentication in Microsoft 365 before migrating mailboxes to Exchange Online. This way, the users can sign in to Outlook seamlessly once the mailbox is moved to Exchange Online. Another reason is to start enabling modern authentication before Microsoft disables basic authentication in the second half of 2021.
In this article, you will learn how to enable modern authentication in Microsoft 365 for Exchange Online and configure the registry keys for all Outlook clients.
Table of contents
- Modern authentication vs. Basic authentication
- How to enable modern authentication in Microsoft 365
- Clients that support modern authentication
- Only basic authentication Outlook 2010
- Enable modern authentication Outlook 2013
- Enable modern authentication Outlook 2016, Outlook 2019, and Outlook 365
- Conclusion
Modern authentication vs. Basic authentication
Modern authentication in Exchange Online provides you with various ways to increase your organization’s security with features like conditional access and multi-factor authentication (MFA). When you turn on modern authentication, Outlook 2013 for Windows or later will require it to sign into Exchange Online mailboxes.
Basic authentication is the less secure method used by older client applications without MFA. Think about signing in with only a username and password. Microsoft recommends that you turn off basic authentication for your organization.
Note: For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online.
How to enable modern authentication in Microsoft 365
To enable modern authentication in Exchange Online, follow these steps:
- Sign in to Microsoft 365 admin center
- Expand Settings and click on Org settings
- Click on Services in the top bar
- Choose Modern authentication from the list
- Check the box Turn modern authentication for Outlook 2013 for Windows and later (recommended)
- Click on Save
In the picture below, you can see the Allow access to basic authentication protocols. If you do uncheck these boxes, basic authentication will not work. Therefore, it’s best to wait first and check the logs for client connections. Then, ensure that the clients connect with modern authentication and that no more basic authentication is used. After that, disable basic authentication.
Clients that support modern authentication
Before you enable modern authentication, make sure that you have one of these clients running:
- Outlook 2013 or later (requires a registry key, see below)
- Outlook 2016 for Mac or later
- Outlook for iOS and Android
- Mail for iOS 11.3.1 or later
| Outlook version | Modern auth support | EnableADAL reg key required | AlwaysUseMSOAuthForAutodiscover reg key required |
|---|---|---|---|
| Outlook 2010 | No | Not available | Not available |
| Outlook 2013 | Yes | Yes | Yes |
| Outlook 2016 | Yes | No | Yes |
| Outlook 2019 | Yes | No | Yes |
| Outlook 365 | Yes | No | Yes |
What is ADAL?
Modern authentication in Exchange Online enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0.
Only basic authentication Outlook 2010
Note: It will not work. Upgrade to a newer Outlook version as soon as possible!
- Modern authentication is not supported.
- Users use Basic authentication and may be prompted multiple times for credentials.
Enable modern authentication Outlook 2013
- Modern authentication is not enabled by default
- Modern authentication can be enabled
Enable modern authentication by setting the DWORD value to 1 in the following registry subkeys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\VersionModern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. The server refuses modern authentication when the tenant is not enabled.
After setting up the above registry subkeys, add one more registry key. Microsoft recommends that users force Outlook to use modern authentication by setting the DWORD value of the following registry key to 1:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover
Enable modern authentication Outlook 2016, Outlook 2019, and Outlook 365
- Modern authentication is enabled by default
Microsoft recommends that users force Outlook to use modern authentication by setting the DWORD value of the following registry key to 1:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscoverMicrosoft Office 2016 and Microsoft Office 2019 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is required to use legacy authentication.
Read more: Outlook prompts for password after migration to Office 365 »
Conclusion
You learned how to enable modern authentication in Microsoft 365. Enable the registry key AlwaysUseMSOAuthForAutoDiscover = 1 on all the machines with a GPO. It will force modern authentication on Outlook 365, 2019, 2016, and 2013. If you have Microsoft Office 2013 running, remember to enable the extra required registry key EnableADAL = 1.
Did you enjoy this article? You may also like Hybrid Configuration Wizard fails to connect. Don’t forget to follow us and share this article.
What Others Are Reading
Thanks.
excellent tutorial
Thanks ALI. Clear instructions on how to do it and I subscribed to your newsletter.
Ali you are the best! Thanks!!!
Thank you Ali for the post! I was searching the internet hours on how to enable Modern Authentication for my users without the need of PowerShell use. Microsoft doc wasn’t helpful at all!! Your post made it simple to follow for non-professional tech folk like myself. Thank you so much! Keep rocking…