topic Re: Modern Authentication in Tech Talk

Modern Authentication

ritesh2017 — Mon, 24 Sep 2018 14:28:01 GMT

The Primitive Issue…

The Microsoft’s Office client applications, since its birth has been using the traditional username and password based authentication. Either we enter the password each time or we cache it, it always needed the password. The problem persisted for a long time even after the companies started using Azure Active Directory or O365 on cloud.

This defeated the whole purpose of attaining Single Sign On (via ADFS or any SAML or OAuth based IDPs) with Outlook client. There was no support for using smart card or certificate-based authentication. The privileged users couldn’t use the Multifactor authentication (MFA) in order to securely access the mail via outlook client.

Time to go Modern…

Better late than never, Microsoft recently introduced Modern Authentication to the rescue. It works based on ADAL (Active Directory Authentication Library) and enable features like MFA, SAML-based third-party Identity Providers with Office client applications. Once MA is enabled, Office client will behave exactly as a Web Browser when authenticating. That is exactly similar to Azure AD sign-in experience into browser-based clients including the MFA experience. Modern Authentication in Office 365 helps desktop applications to user ADAL-based authentication and eliminates the need to memorize randomly generated app passwords.

Access and Refresh….

The Access Token is a short-lived token, valid for about an hour and is used to gain access to the Office 365 services. The Refresh Token is longer-lived (default 14 days), when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to continue using the service. Conditional Access Policies (including MFA) may force users to provide authentication details again even though the Refresh Token is still valid. This eliminates the username and password completely.

How to go Modern?

Office 2016 Client : Works by default
Office 2013: Needs registry key changes on client machine. Can be pushed via GPOs.
MAPI over HTTP Protocol : RPC is deprecating and isn’t supported. Hence client must be using MAPI protocol.

HKEY_CURRENT_USER > Software > Microsoft > Exchange. Check for "MapiHttpDisabled". If present, make it 0.

Office 365 Exchange Online is off by default. Run the below command as admin to set it on

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

SharePoint Online is on by default.
Skype for Business Online is off by default. Run the below command as admin to set it on

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Advantages:

Single Sign on for Microsoft Office.

Multiple Factor Authentication for Office clients.

Ideal for Remote Desktop/Citrix clients

Seamless migration onto Office365 without passwords

Re: Modern Authentication

ccorrea — Thu, 27 Sep 2018 12:52:29 GMT

Nice post about authentication for Office 365 services.

I was also against the app passwords which would get saved as it would be to had for someone to remember them.

Though, even on Office 2016 with modern authentication I having some issues with some accounts that keeps asking for authentication. Working with Microsoft at the moment trying to figure out why.

Re: Modern Authentication

ritesh2017 — Mon, 08 Oct 2018 15:13:49 GMT

Thanks ccorrea!
Moreover, the app passwords were so complicated, that you definitely will save it. this defies the purpose of having a password.

Re: Modern Authentication

denbesten — Mon, 08 Oct 2018 22:25:09 GMT

@ccorrea wrote:
I was also against the app passwords which would get saved as it would be too hard for someone to remember them.

There is no need to write it down or remember it. Ideally one only uses an app password in scenarios where one would normally store a password, such as the email app on your phone or an imap client on your PC. Once stored, you simply "forget" the password. When it comes time to reinstall the app, you delete the old app password and create a new one.

Once freed from the need to remember a password, one can easily geek out on making it hard to brute-force. For example, here is one I just generated but did not use (because it was just posted to a public forum ).

MDZtPS!tVrY1^UAtsu#o0sED*H@y277cL$gS#c7oDl4G$$Hd^!xzr%OKlSGRYL4

The goal behind app passwords is to ensure that "legacy" apps do not prevent you from using more "modern" security strategies, such as SAML or MFA for your interactive logins. This is an example of don't let perfect be the enemy of good.

Re: Modern Authentication

Caute_cautim — Thu, 11 Oct 2018 20:03:56 GMT

However, when you are dealing with healthcare IoT devices, and PII we need to think outside the box, and thinking about DeIdentified Identifiers or DD's for instance.

Example:

https://www.evernym.com/wp-content/uploads/2017/07/The-Technical-Foundations-of-Sovrin.pdf

Regards

Caute_cautim

Re: Modern Authentication

rajsrajput18 — Wed, 24 Oct 2018 00:54:17 GMT

Hi Ritesh,

Thank you for sharing it.We have all devices with office 2016 client, however, it still asks for app password. Not sure if there is some setting in office 365 needs to be changed to push for ADAL. I guess the question goes to office 365 but if you have faced the situation and are aware with resolution, please let me know.

Thanks,

Raj

@ritesh2017 wrote:
The Primitive Issue…
The Microsoft’s Office client applications, since its birth has been using the traditional username and password based authentication. Either we enter the password each time or we cache it, it always needed the password. The problem persisted for a long time even after the companies started using Azure Active Directory or O365 on cloud.
This defeated the whole purpose of attaining Single Sign On (via ADFS or any SAML or OAuth based IDPs) with Outlook client. There was no support for using smart card or certificate-based authentication. The privileged users couldn’t use the Multifactor authentication (MFA) in order to securely access the mail via outlook client.

Time to go Modern…
Better late than never, Microsoft recently introduced Modern Authentication to the rescue. It works based on ADAL (Active Directory Authentication Library) and enable features like MFA, SAML-based third-party Identity Providers with Office client applications. Once MA is enabled, Office client will behave exactly as a Web Browser when authenticating. That is exactly similar to Azure AD sign-in experience into browser-based clients including the MFA experience. Modern Authentication in Office 365 helps desktop applications to user ADAL-based authentication and eliminates the need to memorize randomly generated app passwords.

Access and Refresh….
The Access Token is a short-lived token, valid for about an hour and is used to gain access to the Office 365 services. The Refresh Token is longer-lived (default 14 days), when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to continue using the service. Conditional Access Policies (including MFA) may force users to provide authentication details again even though the Refresh Token is still valid. This eliminates the username and password completely.

How to go Modern?
Office 2016 Client : Works by default
Office 2013: Needs registry key changes on client machine. Can be pushed via GPOs.
MAPI over HTTP Protocol : RPC is deprecating and isn’t supported. Hence client must be using MAPI protocol.
HKEY_CURRENT_USER > Software > Microsoft > Exchange. Check for "MapiHttpDisabled". If present, make it 0.
Office 365 Exchange Online is off by default. Run the below command as admin to set it on
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
SharePoint Online is on by default.
Skype for Business Online is off by default. Run the below command as admin to set it on
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Advantages:
Single Sign on for Microsoft Office.
Multiple Factor Authentication for Office clients.
Ideal for Remote Desktop/Citrix clients
Seamless migration onto Office365 without passwords

Re: Modern Authentication

rajsrajput18 — Wed, 24 Oct 2018 00:58:19 GMT

just reviewed this article and you have already mentioned the Powershell commands.

https://support.office.com/en-gb/article/enable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662