How modern authentication works for Office 2016 and Office 2019 client apps
This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.
Read this article to learn how Office 2016 and Office 2019 client apps use modern authentication features based on the authentication configuration on the Microsoft 365 tenant for Exchange Online, SharePoint Online, and Skype for Business Online.
Note
Legacy client apps, such as Office 2010 and Office for Mac 2011, do not support modern authentication and can only be used with basic authentication.
Availability of modern authentication for Microsoft 365 services
For the Microsoft 365 services, the default state of modern authentication is:
Turned on for Exchange Online by default. See Enable or disable modern authentication in Exchange Online to turn it off or on.
Turned on for SharePoint Online by default.
Turned on for Skype for Business Online by default. See Enable Skype for Business Online for modern authenticationto turn it off or on.
Note
For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online.
Select the links below to see how Office 2016 and Office 2019 client authentication works with the Microsoft 365 services depending on whether or not modern authentication is turned on.
Exchange Online
The following table describes the authentication behavior for Office 2016 and Office 2019 client apps when they connect to Exchange Online with or without modern authentication.
| Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant (default) | Authentication behavior with modern authentication turned off for the tenant |
|---|---|---|---|---|
| Office 2019 | No, AlwaysUseMSOAuthForAutoDiscover = 1 |
Yes | Forces modern authentication on Outlook 2013, 2016, or 2019. More info |
Forces modern authentication within the Outlook client. |
| Office 2019 | No, or EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. |
| Office 2019 | Yes, EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. |
| Office 2019 | Yes, EnableADAL=0 | No | Basic authentication | Basic authentication |
| Office 2016 | No, AlwaysUseMSOAuthForAutoDiscover = 1 |
Yes | Forces modern authentication on 2013, 2016, or 2019. More info |
Forces modern authentication within the Outlook client. |
| Office 2016 | No, or EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. |
| Office 2016 | Yes, EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. |
| Office 2016 | Yes, EnableADAL=0 | No | Basic authentication | Basic authentication |
SharePoint Online
The following table describes the authentication behavior for Office 2016 and Office 2019 client apps when they connect to SharePoint Online with or without modern authentication.
| Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant (default) | Authentication behavior with modern authentication turned off for the tenant |
|---|---|---|---|---|
| Office 2019 | No, or EnableADAL = 1 | Yes | Modern authentication only. | Failure to connect. |
| Office 2019 | Yes, EnableADAL = 1 | Yes | Modern authentication only. | Failure to connect. |
| Office 2019 | Yes, EnableADAL = 0 | No | Microsoft Online Sign-in Assistant only. | Microsoft Online Sign-in Assistant only. |
| Office 2016 | No, or EnableADAL = 1 | Yes | Modern authentication only. | Failure to connect. |
| Office 2016 | Yes, EnableADAL = 1 | Yes | Modern authentication only. | Failure to connect. |
| Office 2016 | Yes, EnableADAL = 0 | No | Microsoft Online Sign-in Assistant only. | Microsoft Online Sign-in Assistant only. |
Skype for Business Online
The following table describes the authentication behavior for Office 2016 and Office 2019 client apps when they connect to Skype for Business Online with or without modern authentication.
| Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant | Authentication behavior with modern authentication turned off for the tenant (default) |
|---|---|---|---|---|
| Office 2019 | No, or EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. |
| Office 2019 | Yes, EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. |
| Office 2019 | Yes, EnableADAL = 0 | No | Microsoft Online Sign-in Assistant only. | Microsoft Online Sign-in Assistant only. |
| Office 2016 | No, or EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. |
| Office 2016 | Yes, EnableADAL = 1 | Yes | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. | Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. |
| Office 2016 | Yes, EnableADAL = 0 | No | Microsoft Online Sign-in Assistant only. | Microsoft Online Sign-in Assistant only. |
See also
Multifactor authentication for Microsoft 365