locked
How To Configure Modern Authentication When Using ADFS(Server 2012) and Office365 RRS feed

  • Question

  • Hello,

    Can anyone please help with information on how to ensure modern authentication is working for my environment.

    I need to know the requirements, what i need to do to ensure it meets requirements, how to configure and how to ensure its actually using modern authentication.

    Here is my environment

    I am currently using Office365 with ADFS3 ON SERVER 2012. I am also using AD connect to sync passwords to Office365.

    Any help will be appreciated.

    Regards

    Thursday, October 26, 2017 8:53 AM

Answers

All replies

  • It's not really an ADFS issue. Modern auth is manage at the application level. You can enable it on Exchange Online, on Skype for Business and I suppose other products might have a similar thing if they are using fat clients (if there are using only web-based clients, they it is already modern auth).

    Then the clients also need a specific version and sometimes settings.

    "When you enable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 (version 15.0.4753 or later, with a required registry setting) use modern authentication to log in to Office 365 mailboxes"

    See here: How modern authentication works for Office 2013 and Office 2016 client apps https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517?ui=en-US&rs=en-US&ad=US

    This is also helpful: Cannot sign in to Skype for Business after enable ADAL (aka Modern Authentication) https://support.microsoft.com/en-us/help/3151223/cannot-sign-in-to-skype-for-business-after-enable-adal-aka-modern-auth

     

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by vintagevintage Thursday, October 26, 2017 2:06 PM
    Thursday, October 26, 2017 1:10 PM
  • Thanks Pierre.

    So i dont need to make any changes on my ADFS servers and once i enabled modern authentication on office365, everything should still work? How will i know outlook is using modern authentication and not basic authentication? 

    Thursday, October 26, 2017 1:33 PM
  • Yes.

    As the document suggests it, it depends on your version of Outlook. Old versions will need a registry value and the latest versions are just doing it when it is available on EXO. Eventually, if you enable the audit on ADFS, you will see what endpoint Outlook users used to authenticate.

    What you can do at the ADFS level if you wanted to, is to block the legacy clients (such as Active Sync clients). But that would prevent Active Sync clients (which honestly, I believe is a good thing since our security feature in AAD such as conditional access cannot apply to legacy clients).

    But to go back to ADFS, it is on by default. No need to create a rule or enable anything.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by vintagevintage Thursday, October 26, 2017 2:06 PM
    Thursday, October 26, 2017 2:02 PM