cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ritesh2017
Reader I

Modern Authentication

The Primitive Issue…

The Microsoft’s Office client applications, since its birth has been using the traditional username and password based authentication. Either we enter the password each time or we cache it, it always needed the password. The problem persisted for a long time even after the companies started using Azure Active Directory or O365 on cloud.

This defeated the whole purpose of attaining Single Sign On (via ADFS or any SAML or OAuth based IDPs) with Outlook client. There was no support for using smart card or certificate-based authentication. The privileged users couldn’t use the Multifactor authentication (MFA) in order to securely access the mail via outlook client.

 

Time to go Modern…

Better late than never, Microsoft recently introduced Modern Authentication to the rescue. It works based on ADAL (Active Directory Authentication Library) and enable features like MFA, SAML-based third-party Identity Providers with Office client applications. Once MA is enabled, Office client will behave exactly as a Web Browser when authenticating.  That is exactly similar to Azure AD sign-in experience into browser-based clients including the MFA experience. Modern Authentication in Office 365 helps desktop applications to user ADAL-based authentication and eliminates the need to memorize randomly generated app passwords.

 

Access and Refresh….

The Access Token is a short-lived token, valid for about an hour and is used to gain access to the Office 365 services. The Refresh Token is longer-lived (default 14 days), when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to continue using the service. Conditional Access Policies (including MFA) may force users to provide authentication details again even though the Refresh Token is still valid. This eliminates the username and password completely.

 

How to go Modern?

  1. Office 2016 Client : Works by default
  2. Office 2013: Needs registry key changes on client machine. Can be pushed via GPOs.
  3. MAPI over HTTP Protocol : RPC is deprecating and isn’t supported. Hence client must be using MAPI protocol.

HKEY_CURRENT_USER > Software > Microsoft > Exchange. Check for "MapiHttpDisabled". If present, make it 0.

  1. Office 365 Exchange Online is off by default. Run the below command as admin to set it on

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

  1. SharePoint Online is on by default.
  2. Skype for Business Online is off by default. Run the below command as admin to set it on

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

 

Advantages:

Single Sign on for Microsoft Office.

Multiple Factor Authentication for Office clients.

Ideal for Remote Desktop/Citrix clients

Seamless migration onto Office365 without passwords

6 Replies
ccorrea
Newcomer I

Nice post about authentication for Office 365 services.

I was also against the app passwords which would get saved as it would be to had for someone to remember them.

Though, even on Office 2016 with modern authentication I having some issues with some accounts that keeps asking for authentication. Working with Microsoft at the moment trying to figure out why.
ritesh2017
Reader I

Thanks ccorrea!
Moreover, the app passwords were so complicated, that you definitely will save it. this defies the purpose of having a password.
denbesten
Community Champion



@ccorrea wrote:
I was also against the app passwords which would get saved as it would be too hard for someone to remember them.

There is no need to write it down or remember it.  Ideally one only uses an app password in scenarios where one would normally store a password, such as the email app on your phone or an imap client on your PC.  Once stored, you simply "forget" the password.  When it comes time to reinstall the app, you delete the old app password and create a new one.

 

Once freed from the need to remember a password, one can easily geek out on making it hard to brute-force.  For example, here is one I just generated but did not use (because it was just posted to a public forum Smiley Happy ).

 

MDZtPS!tVrY1^UAtsu#o0sED*H@y277cL$gS#c7oDl4G$$Hd^!xzr%OKlSGRYL4

 

The goal behind app passwords is to ensure that "legacy" apps do not prevent you from using more "modern" security strategies, such as SAML or MFA for your interactive logins.  This is an example of don't let perfect be the enemy of good

 

 

 

Caute_cautim
Community Champion

However, when you are dealing with healthcare IoT devices, and PII we need to think outside the box, and thinking about DeIdentified Identifiers or DD's for instance.  

 

Example:

 

https://www.evernym.com/wp-content/uploads/2017/07/The-Technical-Foundations-of-Sovrin.pdf

 

Regards

 

Caute_cautim

 

 

 

rajsrajput18
Viewer III

Hi Ritesh,

 

Thank you for sharing it.We have all devices with office 2016 client, however, it still asks for app password. Not sure if there is some setting in office 365 needs to be changed to push for ADAL. I guess the question goes to office 365 but if you have faced the situation and are aware with resolution, please let me know.

 

Thanks,

Raj


@ritesh2017 wrote:

The Primitive Issue…

The Microsoft’s Office client applications, since its birth has been using the traditional username and password based authentication. Either we enter the password each time or we cache it, it always needed the password. The problem persisted for a long time even after the companies started using Azure Active Directory or O365 on cloud.

This defeated the whole purpose of attaining Single Sign On (via ADFS or any SAML or OAuth based IDPs) with Outlook client. There was no support for using smart card or certificate-based authentication. The privileged users couldn’t use the Multifactor authentication (MFA) in order to securely access the mail via outlook client.

 

Time to go Modern…

Better late than never, Microsoft recently introduced Modern Authentication to the rescue. It works based on ADAL (Active Directory Authentication Library) and enable features like MFA, SAML-based third-party Identity Providers with Office client applications. Once MA is enabled, Office client will behave exactly as a Web Browser when authenticating.  That is exactly similar to Azure AD sign-in experience into browser-based clients including the MFA experience. Modern Authentication in Office 365 helps desktop applications to user ADAL-based authentication and eliminates the need to memorize randomly generated app passwords.

 

Access and Refresh….

The Access Token is a short-lived token, valid for about an hour and is used to gain access to the Office 365 services. The Refresh Token is longer-lived (default 14 days), when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to continue using the service. Conditional Access Policies (including MFA) may force users to provide authentication details again even though the Refresh Token is still valid. This eliminates the username and password completely.

 

How to go Modern?

  1. Office 2016 Client : Works by default
  2. Office 2013: Needs registry key changes on client machine. Can be pushed via GPOs.
  3. MAPI over HTTP Protocol : RPC is deprecating and isn’t supported. Hence client must be using MAPI protocol.

HKEY_CURRENT_USER > Software > Microsoft > Exchange. Check for "MapiHttpDisabled". If present, make it 0.

  1. Office 365 Exchange Online is off by default. Run the below command as admin to set it on

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

  1. SharePoint Online is on by default.
  2. Skype for Business Online is off by default. Run the below command as admin to set it on

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

 

Advantages:

Single Sign on for Microsoft Office.

Multiple Factor Authentication for Office clients.

Ideal for Remote Desktop/Citrix clients

Seamless migration onto Office365 without passwords


 

rajsrajput18
Viewer III

just reviewed this article and you have already mentioned the Powershell commands.

https://support.office.com/en-gb/article/enable-or-disable-modern-authentication-in-exchange-online-...