Office 2013 and Office 365 ProPlus modern authentication and client access filtering policies : Things to know before onboarding

  • Article

 

This information is relevant to organizations who use Active Directory Federation Services (AD FS) for Client Access Filtering policies and are interested in onboarding their Exchange Online/SharePoint Online tenants to the public preview of Office 2013 modern authentication.

 

With modern authentication, all clients will use Passive Flows (WS-Federation), and will appear to be browser traffic to AD FS.  Based on your current policy, you can determine the changes you will need to make here:

 

 

Current client access filtering policy

After enabling  modern authentication

Action needed

1

Block all external access to Office 365

Continue to rely on existing ADFS policies (client traffic now comes in on WS-Federation endpoint)

None

2

Block all external access to Office 365 except Exchange ActiveSync

Continue to rely on existing ADFS policies (client traffic now comes in on WS-Federation endpoint)

None

3

Block all external access to Office 365 except Browser-based apps

Implement conditional policies in Office 365/Azure AD to block “Rich Client” traffic (allow on ADFS).

This scenario is not yet supported for public preview and we recommend organizations that rely on this scenario to not onboard their tenants for modern authentication.

 

If scenario # 3 applies to you, and you enable modern authentication on your tenant, rich clients (Outlook and other Office apps) will be able to bypass your client access filtering policies and in ADFS access resources like Exchange Online and SharePoint online.