skip to Main Content

Enable modern authentication in Office 365 admin center

Enable modern authentication in Office 365 admin center before migrating mailboxes to Exchange Online. This way, the users can sign in to Outlook seamlessly once the mailbox is moved to Exchange Online. Another reason is to start enabling modern authentication before Microsoft disables basic authentication in the second half of 2021.

In this article, you will learn how to enable modern authentication in Office 365 for Exchange Online and configure the registry keys for all Outlook clients.

Modern authentication vs. Basic authentication

Modern authentication in Exchange Online provides you with various ways to increase your organization’s security with features like conditional access and multi-factor authentication (MFA). When you turn on modern authentication, Outlook 2013 for Windows or later will require it to sign to Exchange online mailboxes.

Basic authentication is the less secure method used by older client applications without MFA. Think about signing in with only a username and password. Microsoft recommends that you turn off basic authentication for your organization.

For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online.

Enable modern authentication in Office 365 admin center

To enable modern authentication in Exchange Online, sign in to Microsoft 365 admin center and follow these steps:

  1. Choose Settings in the menu
  2. Click on Services in the top bar
  3. Choose Modern authentication from the list
  4. Check the box Turn modern authentication for Outlook 2013 for Windows and later (recommended)
  5. Click Save

In the picture down below, you can see the Allow access to basic authentication protocols. If you do uncheck these boxes, basic authentication will not work. It’s best to wait first and check the logs for client connections. Make sure that the clients are connecting with modern authentication, and no more basic authentication is used. After that, disable basic authentication.

Enable modern authentication in Office 365 admin center

Clients that support modern authentication

Before you enable modern authentication, make sure that you have one of these clients running:

  • Outlook 2013 or later (requires a registry key, see below)
  • Outlook 2016 for Mac or later
  • Outlook for iOS and Android
  • Mail for iOS 11.3.1 or later
Outlook versionModern auth supportEnableADAL reg key requiredAlwaysUseMSOAuthForAutodiscover reg key required
Outlook 2010NoNot availableNot available
Outlook 2013YesYesYes
Outlook 2016YesNoYes
Outlook 2019YesNoYes
Outlook 365YesNoYes

What is ADAL?

Modern authentication in Exchange Online enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0.

Only basic authentication Outlook 2010

It will not work. Upgrade as soon as possible!

  • Modern authentication is not supported.
  • Users use Basic authentication and may be prompted multiple times for credentials.

Enable modern authentication Outlook 2013

  • Modern authentication is not enabled by default
  • Modern authentication can be enabled

Enable modern authentication by setting the DWORD value to 1 in the following registry subkeys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. The server refuses modern authentication when the tenant is not enabled.

After setting up the above registry subkeys, add one more registry key. Microsoft recommends that users force Outlook to use modern authentication by setting the DWORD value of the following registry key to 1:

HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover
Enable modern authentication in Office 365 admin center AlwaysUseMSOAuthForAutoDiscover

Enable modern authentication Outlook 2016, Outlook 2019, and Outlook 365

  • Modern authentication is enabled by default

Microsoft recommends that users force Outlook to use modern authentication by setting the DWORD value of the following registry key to 1:

HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover

Office 2016 and Office 2019 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is required to use legacy authentication.

Read more: Outlook prompts for password after migration to Office 365 »

Summary

In this article, you learned how to enable modern authentication in Office 365 admin center. Enable the registry key AlwaysUseMSOAuthForAutoDiscover = 1 on all the machines with a GPO. It will force modern authentication on Outlook 2013, 2016, 2019, and 365. If you have Office 2013 running, don’t forget to enable the extra required registry key EnableADAL = 1.

Did you enjoy this article? You may also like Hybrid Configuration Wizard fails to connect. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 2 Comments

  1. Thank you Ali for the post! I was searching the internet hours on how to enable Modern Authentication for my users without the need of PowerShell use. Microsoft doc wasn’t helpful at all!! Your post made it simple to follow for non-professional tech folk like myself. Thank you so much! Keep rocking…

Leave a Reply

Your email address will not be published. Required fields are marked *