Modern authentication behavior across Office 2013 and Office 2016
This article explains how Office 2013 and Office 2016 clients use modern authentication features based on the authentication configuration on the Office 365 tenant (Exchange Online, SharePoint Online and Skype for Business Online).
Modern authentication features are gated by a two-part switch :
1) Service : The Office 365 tenant/resource host (Exchange Online, SharePoint Online and Skype for Business Online) will need to be configured to accept a modern authentication connection. Here is the per service state of modern authentication by default :
a. Exchange Online - ON by default
b. SharePoint Online - ON by default
c. Skype for Business Online - ON by default.
Note: Default settings changed 1 augustus 2017 for NEW tenants. Settings on already existing tenants will not be changed.
2) Client : Office 2013 clients support legacy authentication by default (Microsoft Online Sign-in Assistant or basic authentication, as applicable). In order for these clients to use modern authentication features, the Windows user running Office 2013 needs to have certain registry keys set. They are defined here : http:\aka.ms\AuthAdminHowTo.
Office 2016 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.
The following table explains client behavior while working against Exchange, SharePoint and Skype for Business tenants in Office 365.
| Office Client | Exchange Online (default is OFF) | SharePoint Online (Default is ON) | Skype for Business Online (Default is OFF) | |||||
| Office version | Registry key | Modern authentication effective? | Modern authentication enabled (default) |
Modern authentication disabled | Modern authentication enabled (default) | Modern authentication disabled | Modern authentication enabled (default) |
Modern authentication disabled |
| Office 2016 | No registry key | Yes | Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled) | Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled) | Modern authentication only | Modern authentication only | Attempt modern authentication, fail over to Microsoft Online Sign-in Assistant if the server refuses a modern authentication connection (which is the case when tenant is not enabled) | Attempt modern authentication, fail over to Microsoft Online Sign-in Assistant if the server refuses a modern authentication connection (which is the case when tenant is not enabled) |
| Office 2016 | EnableADAL = 1 | Yes | Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled) | Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled) | Modern authentication only | Failure to connect | Attempt modern authentication, fail over to Microsoft Online Sign-in Assistant if the server refuses a modern authentication connection (which is the case when tenant is not enabled) | Attempt modern authentication, fail over to Microsoft Online Sign-in Assistant if the server refuses a modern authentication connection (which is the case when tenant is not enabled) |
| Office 2016 | EnableADAL = 0 | No | Basic auth | Basic auth | Microsoft Online Sign-in Assistant only | Microsoft Online Sign-in Assistant only | Microsoft Online Sign-in Assistant only | Microsoft Online Sign-in Assistant only |
| Office 2013 | No registry key set | No | Basic auth | Basic auth | Microsoft Online Sign-in Assistant only | Microsoft Online Sign-in Assistant only | Microsoft Online Sign-in Assistant only | Microsoft Online Sign-in Assistant only |
| Office 2013 | EnableADAL = 1 | Yes | Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled) | Attempt modern authentication, fail over to basic authentication if server refuses modern authentication connection (which is the case when tenant is not enabled) | Attempt modern authentication, fail over to Microsoft Online Sign-in Assistant if the server refuses a modern authentication connection (which is the case when tenant is not enabled) | Microsoft Online Sign-in Assistant only | ||
Activation :
**
**The activation scenario does not cause the client to connect to any of the Office 365 services mentioned above, so the modern authentication status of these tenants is immaterial for activation.
Connecting to on-premises servers :
All clients irrespective of their modern authentication state will continue to work against on-premises servers as before, no changes expected.