It's good to go through the Exchange hybrid test plan checklist and test all the…
Enable modern authentication in Office 365 admin center before migrating mailboxes to Exchange Online. This way, the users can sign in to Outlook seamlessly once the mailbox is moved to Exchange Online. Another reason is to start enabling modern authentication before Microsoft disables basic authentication in the second half of 2021.
In this article, you will learn how to enable modern authentication in Office 365 for Exchange Online and configure the registry keys for all Outlook clients.
Table of contents
- Modern authentication vs. Basic authentication
- Enable modern authentication in Office 365 admin center
- Clients that support modern authentication
- Only basic authentication Outlook 2010
- Enable modern authentication Outlook 2013
- Enable modern authentication Outlook 2016, Outlook 2019, and Outlook 365
Modern authentication vs. Basic authentication
Modern authentication in Exchange Online provides you with various ways to increase your organization’s security with features like conditional access and multi-factor authentication (MFA). When you turn on modern authentication, Outlook 2013 for Windows or later will require it to sign to Exchange online mailboxes.
Basic authentication is the less secure method used by older client applications without MFA. Think about signing in with only a username and password. Microsoft recommends that you turn off basic authentication for your organization.
For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online.
Enable modern authentication in Office 365 admin center
To enable modern authentication in Exchange Online, sign in to Microsoft 365 admin center and follow these steps:
- Choose Settings in the menu
- Click on Services in the top bar
- Choose Modern authentication from the list
- Check the box Turn modern authentication for Outlook 2013 for Windows and later (recommended)
- Click Save
In the picture down below, you can see the Allow access to basic authentication protocols. If you do uncheck these boxes, basic authentication will not work. It’s best to wait first and check the logs for client connections. Make sure that the clients are connecting with modern authentication, and no more basic authentication is used. After that, disable basic authentication.
Clients that support modern authentication
Before you enable modern authentication, make sure that you have one of these clients running:
- Outlook 2013 or later (requires a registry key, see below)
- Outlook 2016 for Mac or later
- Outlook for iOS and Android
- Mail for iOS 11.3.1 or later
|Outlook version||Modern auth support||EnableADAL reg key required||AlwaysUseMSOAuthForAutodiscover reg key required|
|Outlook 2010||No||Not available||Not available|
What is ADAL?
Modern authentication in Exchange Online enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0.
Only basic authentication Outlook 2010
It will not work. Upgrade as soon as possible!
- Modern authentication is not supported.
- Users use Basic authentication and may be prompted multiple times for credentials.
Enable modern authentication Outlook 2013
- Modern authentication is not enabled by default
- Modern authentication can be enabled
Enable modern authentication by setting the DWORD value to 1 in the following registry subkeys:
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. The server refuses modern authentication when the tenant is not enabled.
After setting up the above registry subkeys, add one more registry key. Microsoft recommends that users force Outlook to use modern authentication by setting the DWORD value of the following registry key to 1:
Enable modern authentication Outlook 2016, Outlook 2019, and Outlook 365
- Modern authentication is enabled by default
Microsoft recommends that users force Outlook to use modern authentication by setting the DWORD value of the following registry key to 1:
Office 2016 and Office 2019 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is required to use legacy authentication.
In this article, you learned how to enable modern authentication in Office 365 admin center. Enable the registry key AlwaysUseMSOAuthForAutoDiscover = 1 on all the machines with a GPO. It will force modern authentication on Outlook 2013, 2016, 2019, and 365. If you have Office 2013 running, don’t forget to enable the extra required registry key EnableADAL = 1.
Did you enjoy this article? You may also like Hybrid Configuration Wizard fails to connect. Don’t forget to follow us and share this article.