This article explains how Office 2013 and Office 2016 clients use modern authentication features based on the authentication configuration on the Office 365 tenant (Exchange Online, SharePoint Online and Skype for Business Online).

Modern authentication features are gated by a two-part switch :

1) Service : The Office 365 tenant/resource host (Exchange Online, SharePoint Online and Skype for Business Online) will need to be configured to accept a modern authentication connection. Here is the per service state of modern authentication by default :

a. Exchange Online - ON by default
b. SharePoint Online - ON by default
c. Skype for Business Online - ON by default.

Note: Default settings changed 1 augustus 2017 for NEW tenants. Settings on already existing tenants will not be changed.

2) Client : Office 2013 clients support legacy authentication by default (Microsoft Online Sign-in Assistant or basic authentication, as applicable). In order for these clients to use modern authentication features, the Windows user running Office 2013 needs to have certain registry keys set. They are defined here : http:\\aka.ms\AuthAdminHowTo.

Office 2016 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.

The following table explains client behavior while working against Exchange, SharePoint and Skype for Business tenants in Office 365.

 Office Client Exchange Online (default is OFF) SharePoint Online (Default is ON) Skype for Business Online (Default is OFF)
Office version Registry key Modern authentication effective? Modern authentication enabled
(default)
Modern authentication disabled Modern authentication enabled (default) Modern authentication disabled Modern authentication enabled
(default)
Modern authentication disabled 
 Office 2016 No registry key Yes Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled)  Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled)  Modern authentication only Modern authentication only Attempt modern authentication, fail over to Microsoft Online Sign-in Assistant if the server refuses a modern authentication connection (which is the case when tenant is not enabled)  Attempt modern authentication, fail over to Microsoft Online Sign-in Assistant if the server refuses a modern authentication connection (which is the case when tenant is not enabled)
 Office 2016 EnableADAL = 1 Yes  Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled)  Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled) Modern authentication only   Failure to connect  Attempt modern authentication, fail over to Microsoft Online Sign-in Assistant if the server refuses a modern authentication connection (which is the case when tenant is not enabled)   Attempt modern authentication, fail over to Microsoft Online Sign-in Assistant if the server refuses a modern authentication connection (which is the case when tenant is not enabled)
 Office 2016 EnableADAL = 0 No Basic auth Basic auth Microsoft Online Sign-in Assistant only Microsoft Online Sign-in Assistant only  Microsoft Online Sign-in Assistant only  Microsoft Online Sign-in Assistant only
 Office 2013 No registry key set No Basic auth Basic auth Microsoft Online Sign-in Assistant only Microsoft Online Sign-in Assistant only  Microsoft Online Sign-in Assistant only  Microsoft Online Sign-in Assistant only
 Office 2013 EnableADAL = 1 Yes Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled) Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled)      Attempt modern authentication, fail over to Microsoft Online Sign-in Assistant if the server refuses a modern authentication connection (which is the case when tenant is not enabled)  Microsoft Online Sign-in Assistant only

Activation :

The activation scenario does not cause the client to connect to any of the Office 365 services mentioned above, so the modern authentication status of these tenants is immaterial for activation.

Connecting to on-premises servers :
All clients irrespective of their modern authentication state will continue to work against on-premises servers as before, no changes expected.