This article is currently a work in progress

Introduction

To learn more about modern authentication, visit: https://blogs.office.com/2015/03/23/office-2013-modern-authentication-public-preview-announced/

In order for Office clients to use modern authentication flows, the Office 365 tenant needs to be configured support modern authentication flows. You can find more details here - http://aka.ms/modernAuthClients.

Defaults

The Office 365 tenant/resource host (Exchange Online, SharePoint Online and Skype for Business Online) will need to be configured to accept a modern authentication connection. We recommend Exchange Online be enabled for modern authentication when enabling modern authentication for Skype for Business.

Here is the per service state of modern authentication by default:

  • Skype for Business Online - OFF by default.
  • Exchange Online - OFF by default.
  • SharePoint Online - ON by default.
Note: For Office 365 US Government Defense tenants, modern authentication is ON by default to enable the use of PIV and CAC cards. 

Because Skype for Business clients connect to both Skype for Business Online and Exchange Online, tenant level modern authentication settings should match for Exchange Online and Skype for Business Online.

Steps to enable modern authentication for Skype for Business Online

This article explains how to enable your Skype for Business Online tenant to support modern authentication.

  1. Connect to Skype for Business Online using remote PowerShell: https://aka.ms/SkypePowerShell
  2. Run the following command:
    • Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
  3. Verify that the change was successful by running the following:
    • Get-CsOAuthConfiguration

Frequently Asked Questions

How can Exchange Online be configured to use modern authentication?

Via Exchange Online remote PowerShell: How to enable your tenant for modern authentication

I enabled modern authentication in my tenant, but now I want to revert it. How do I do that?

Run the following command.

Set-CsOAuthConfiguration -ClientAdalAuthOverride NoOverride

How do I use modern authentication with the Skype for Business Online Windows PowerShell Module?

Ensure your tenant is modern authentication enabled and you have the latest Skype for Business Online Windows PowerShell Module. Version 7.0.1026.0 or later is required.

To use multi-factor authentication providing a PSCredential object to New-CsOnlineSession is no longer used, New-CsOnlineSession will now prompt for credentials without a PSCredential object..

 

Examples of how to use the new connector with a modern authentication enabled tenant:

 

New-CsOnlineSession user@domain.com

will prompt for credentials for the specified user, using multi-factor authentication enabled for that user

New-CsOnlineSession

will prompt for admin UPN, then prompt for credentials for that user, using multi-factor authentication if enabled

New-CsOnlineSession <PSCredential>

Not valid if multi-factor authentication is enabled for the user. Included so that existing scripts for admins using username and password only will continue to work

 

See also