How modern authentication works for Office 2013, Office 2016, and Office 2019 client apps
This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.
Read this article to learn how Office 2013, Office 2016, and Office 2019 client apps use modern authentication features based on the authentication configuration on the Microsoft 365 tenant for Exchange Online, SharePoint Online, and Skype for Business Online.
Note
Legacy client apps, such as Office 2010 and Office for Mac 2011, do not support modern authentication and can only be used with basic authentication.
Availability of modern authentication for Microsoft 365 services
For the Microsoft 365 services, the default state of modern authentication is:
Turned on for Exchange Online by default. See Enable or disable modern authentication in Exchange Online to turn it off or on.
Turned on for SharePoint Online by default.
Turned on for Skype for Business Online by default. See Enable Skype for Business Online for modern authenticationto turn it off or on.
Note
For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online.
Sign-in behavior of Office client apps
Office 2013 client apps support legacy authentication by default. Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication. In order for these clients to use modern authentication features, the Windows client must have registry keys set. For instructions, see Enable Modern Authentication for Office 2013 on Windows devices.
Important
The use of basic authentication is being deprecated for Exchange Online mailboxes on Microsoft 365. This means that if Outlook 2013 is not configured to use modern authentication, it loses the ability to connect. Read this article for more information about basic auth deprecation.
To enable modern authentication for any devices running Windows (for example on laptops and tablets), that have Microsoft Office 2013 installed, you need to set the following registry keys. The keys have to be set on each device that you want to enable for modern authentication:
| Registry key | Type | Value |
|---|---|---|
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL | REG_DWORD | 1 |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version | REG_DWORD | 1 |
| HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover | REG_DWORD | 1 |
Read How to use Modern Authentication (ADAL) with Skype for Business to learn about how it works with Skype for Business.
Software requirements
To enable multifactor authentication (MFA) for Office 2013 client apps, you must have the software listed below installed (at the version listed below, or a later version). The process is different depending on your installation type (either MSI-based, or via Click-to-run.)
First, find out if your Office installation is MSI-based or Click-to-run with the steps below.
- Start Outlook 2013.
- On the File menu, select Office Account.
- For Outlook 2013 Click-to-Run installations an Update Options item is displayed. For MSI-based installations, the Update Options item is not displayed.
- The Click-to-run Update Options button will tell you 'Updates are automatically downloaded and installed', and your current version.
Click-to-run based installations
For Click-to-run based installations you must have the following software installed at a file version listed below, or a later file version. If your file version is not equal to, or greater than, the file version listed, update it using the steps below.
| File name | Install path on your computer | File version |
|---|---|---|
| MSO.DLL | C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\MSO.DLL | 15.0.4753.1001 |
| CSI.DLL | CSI.DLL C:\Program Files\Microsoft Office 15\root\office15\csi.dll | 15.0.4753.1000 |
| Groove.EXE* | C:\Program Files\Microsoft Office 15\root\office15\GROOVE.exe | 15.0.4763.1000 |
| Outlook.exe | C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.exe | 15.0.4753.1002 |
| ADAL.DLL | C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\ADAL.DLL | 1.0.2016.624 |
| Iexplore.exe | C:\Program Files\Internet Explorer | varies |
* If the Groove.EXE component is not present in your Office installation, it doesn't need to be installed for ADAL to work. However, if it is present, then the build for Groove.EXE listed here is required.
MSI-based installations
For MSI-based installations the following software must be installed at the file version listed below, or a later file version. If your file version is not equal to, or greater than, the file version listed below, update using the link in the Update KB Article column.
| File name | Install path on your computer | Where to get the update | Version |
|---|---|---|---|
| MSO.DLL | C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL | KB3085480 | 15.0.4753.1001 |
| CSI.DLL | C:\Program Files\Common Files\Microsoft Shared\OFFICE15\Csi.dll | KB3172545 | 15.0.4753.1000 |
| Groove.exe* | C:\Program Files\Microsoft Office\Office15\GROOVE.EXE | KB4022226 | 15.0.4763.1000 |
| Outlook.exe | C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE | KB4484096 | 15.0.4753.1002 |
| ADAL.DLL | C:\Program Files\Common Files\Microsoft Shared\OFFICE15\ADAL.DLL | KB3085565 | 1.0.2016.624 |
| Iexplore.exe | C:\Program Files\Internet Explorer | MS14-052 | Not applicable |
* If the Groove.EXE component is not present in your Office installation, it doesn't need to be installed for ADAL to work. However, if it is present, then the build for Groove.EXE listed here is required.
Office 2016 and Office 2019 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.
Click the links below to see how Office 2013, Office 2016, and Office 2019 client authentication works with the Microsoft 365 services depending on whether or not modern authentication is turned on.
Exchange Online
The following table describes the authentication behavior for Office 2013, Office 2016, and Office 2019 client apps when they connect to Exchange Online with or without modern authentication.
| Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant (default) | Authentication behavior with modern authentication turned off for the tenant |
|---|---|---|---|---|
| Office 2019 |
No, AlwaysUseMSOAuthForAutoDiscover = 1 |
Yes |
Forces modern authentication on Outlook 2013, 2016, or 2019. More info |
Forces modern authentication within the Outlook client. |
| Office 2019 |
No, or EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
| Office 2019 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
| Office 2019 |
Yes, EnableADAL=0 |
No |
Basic authentication |
Basic authentication |
| Office 2016 |
No, AlwaysUseMSOAuthForAutoDiscover = 1 |
Yes |
Forces modern authentication on 2013, 2016, or 2019. More info |
Forces modern authentication within the Outlook client. |
| Office 2016 |
No, or EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
| Office 2016 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
| Office 2016 |
Yes, EnableADAL=0 |
No |
Basic authentication |
Basic authentication |
| Office 2013 |
No |
No |
Basic authentication |
Basic authentication |
| Office 2013 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
SharePoint Online
The following table describes the authentication behavior for Office 2013, Office 2016, and Office 2019 client apps when they connect to SharePoint Online with or without modern authentication.
| Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant (default) | Authentication behavior with modern authentication turned off for the tenant |
|---|---|---|---|---|
| Office 2019 |
No, or EnableADAL = 1 |
Yes |
Modern authentication only. |
Failure to connect. |
| Office 2019 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication only. |
Failure to connect. |
| Office 2019 |
Yes, EnableADAL = 0 |
No |
Microsoft Online Sign-in Assistant only. |
Microsoft Online Sign-in Assistant only. |
| Office 2016 |
No, or EnableADAL = 1 |
Yes |
Modern authentication only. |
Failure to connect. |
| Office 2016 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication only. |
Failure to connect. |
| Office 2016 |
Yes, EnableADAL = 0 |
No |
Microsoft Online Sign-in Assistant only. |
Microsoft Online Sign-in Assistant only. |
| Office 2013 |
No |
No |
Microsoft Online Sign-in Assistant only. |
Microsoft Online Sign-in Assistant only. |
| Office 2013 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication only. |
Failure to connect. |
Skype for Business Online
The following table describes the authentication behavior for Office 2013, Office 2016, and Office 2019 client apps when they connect to Skype for Business Online with or without modern authentication.
| Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant | Authentication behavior with modern authentication turned off for the tenant (default) |
|---|---|---|---|---|
| Office 2019 |
No, or EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
| Office 2019 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
| Office 2019 |
Yes, EnableADAL = 0 |
No |
Microsoft Online Sign-in Assistant only. |
Microsoft Online Sign-in Assistant only. |
| Office 2016 |
No, or EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
| Office 2016 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
| Office 2016 |
Yes, EnableADAL = 0 |
No |
Microsoft Online Sign-in Assistant only. |
Microsoft Online Sign-in Assistant only. |
| Office 2013 |
No |
No |
Microsoft Online Sign-in Assistant only. |
Microsoft Online Sign-in Assistant only. |
| Office 2013 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
Microsoft Online Sign-in Assistant only. |
See also
Enable Modern Authentication for Office 2013 on Windows devices
Multi-factor authentication for Microsoft 365
피드백
다음에 대한 사용자 의견 제출 및 보기