Enable or disable modern authentication for Outlook in Exchange Online
Modern authentication in Exchange Online enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0.
When you enable modern authentication in Exchange Online, Windows-based Outlook clients that support modern authentication (Outlook 2013 or later) use modern authentication to connect to Exchange Online mailboxes. For more information, see How modern authentication works for Office client apps.
When you disable modern authentication in Exchange Online, Windows-based Outlook clients that support modern authentication use basic authentication to connect to Exchange Online mailboxes. They don't use modern authentication.
Notes:
- Modern authentication is enabled by default in Exchange Online, Skype for Business Online, and SharePoint Online.
Note
For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online.
Enabling or disabling modern authentication in Exchange Online as described in this topic only affects modern authentication connections by Windows-based Outlook clients that support modern authentication (Outlook 2013 or later).
Enabling or disabling modern authentication in Exchange Online as described in this topic does not affect other email clients that support modern authentication (for example, Outlook Mobile, Outlook for Mac 2016, and Exchange ActiveSync in iOS 11 or later). These other email clients always use modern authentication to log in to Exchange Online mailboxes.
Enabling or disabling modern authentication has no effect on IMAP or POP3 clients. However, if you've enabled security defaults in your organization, POP3 and IMAP4 are already disabled in Exchange Online. For more information, see Security defaults in Microsoft Entra ID.
When you enable modern authentication in Exchange Online, Windows-based Outlook clients that support modern authentication will be prompted to log in again. Further, the Basic Auth login dialog box and the Modern Auth dialog box look very different. See the Outlook and Basic Auth section of the Basic Auth and Exchange Online blog post for details.
You should synchronize the state of modern authentication in Exchange Online with Skype for Business Online to prevent multiple log in prompts in Skype for Business clients. For instructions, see Skype for Business Online: Enable your tenant for modern authentication.
A user with multiple accounts configured in their Outlook profile might receive an error when they try to connect to their mailbox. For more information, see KB 4516672
Enable or disable modern authentication in Exchange Online for client connections in Outlook 2013 or later
Using Exchange Online PowerShell
Do one of these steps:
Run the following command to enable modern authentication connections to Exchange Online by Outlook 2013 or later clients:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $trueNote that the previous command does not block or prevent Outlook 2013 or later clients from using basic authentication connections.
Run the following command to prevent modern authentication connections (force the use of basic authentication connections) to Exchange Online by Outlook 2013 or later clients:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $false
To verify that the change was successful, run the following command:
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
Using the Microsoft 365 admin center
In the Microsoft 365 admin center, go to Settings > Org Settings > Modern Authentication. In the Modern authentication flyout that appears, click to enable or disable Turn on modern authentication for Outlook 2013 for Windows and later (recommended).
See also
How modern authentication works for Office 2013 and Office 2016 client apps