Examine modern authentication for Office apps

  • 8 minutes

Modern authentication is a Microsoft solution based on the Microsoft Authentication Library (MSAL). It applies the Open Authorization (OAuth) standard when an application or client software tries to obtain access tokens from an authentication provider to access resources. Modern authentication enables sign-in features such as:

  • Multi-factor authentication (MFA)
  • SAML-based third-party Identity Providers with Office client applications
  • Smart card authentication
  • Certificate-based authentication

Modern authentication also removes the need for Outlook to use the basic authentication protocol.

Modern authentication prerequisites

The default state of modern authentication is turned On by default for the following Microsoft 365 services:

  • Exchange Online
  • SharePoint Online
  • Skype for Business Online

Modern authentication is also automatically turned On for Office 2016 and later client apps.

However, to use modern authentication with Office 2013 client apps, prerequisite software must be installed based on whether you have a Click-to-run based installation or a MSI-based installation. To determine whether your Office installation is Click-to-run or MSI-based, you should complete the following steps:

  1. Start Outlook 2013.
  2. On the File menu, choose Office Account.
  3. For Outlook 2013 Click-to-Run installations, an Update Options item is displayed. For MSI-based installations, the Update Options item isn't displayed.

screenshots that compare Outlook 2013 Click-to-Run installations showing the Update Options item versus Outlook 2013 for MSI-based installations that don't show the Update Options item

For detailed information on how to turn on modern authentication for Office 2013 client apps, see Enable Modern Authentication for Office 2013 on Windows devices.

If you're using Active Directory Federation Services (AD FS) 2.0), you should first review the caveats with modern authentication as described in the following article titled Office 2013 and Office 365 ProPlus modern authentication and client access filtering policies: Things to know before onboarding.

Authentication behavior

The rest of this unit examines authentication behavior for Office 2013 and later client apps when they connect with or without modern authentication to Exchange Online, SharePoint Online, and Skype for Business Online.

Exchange Online

The following table describes the authentication behavior for Office 2013 and Office 2016 and later client apps when they connect to Exchange Online with or without modern authentication.

Office client app version

Is the Registry key present?

Is modern authentication turned on?

Authentication behavior with modern authentication turned on for the tenant (default)

Authentication behavior with modern authentication turned off for the tenant

Office 2016 and later

No, or EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.

Office 2016 and later

Yes, EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.

Office 2016 and later

Yes, EnableADAL=0

No

Basic authentication

Basic authentication

Office 2013

No

No

Basic authentication

Basic authentication

Office 2013

Yes, EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.

SharePoint Online

The following table describes the authentication behavior for Office 2013 and Office 2016 and later client apps when they connect to SharePoint Online with or without modern authentication.

Office client app version

Is the Registry key present?

Is modern authentication turned on?

Authentication behavior with modern authentication turned on for the tenant (default)

Authentication behavior with modern authentication turned off for the tenant

Office 2016 and later

No, or EnableADAL = 1

Yes

Modern authentication only.

Failure to connect.

Office 2016 and later

Yes, EnableADAL = 1

Yes

Modern authentication only.

Failure to connect.

Office 2016 and later

Yes, EnableADAL = 0

No

Microsoft Online Sign in Assistant only.

Microsoft Online Sign in Assistant only.

Office 2013

No

No

Microsoft Online Sign in Assistant only.

Microsoft Online Sign in Assistant only.

Office 2013

Yes, EnableADAL = 1

Yes

Modern authentication only.

Failure to connect.

Skype for Business Online

The following table describes the authentication behavior for Office 2013 and Office 2016 and later client apps when they connect to Skype for Business Online with or without modern authentication.

Office client app version

Is the Registry key present?

Is modern authentication turned on?

Authentication behavior with modern authentication turned on for the tenant

Authentication behavior with modern authentication turned off for the tenant (default)

Office 2016 and later

No, or EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.

Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.

Office 2016 and later

Yes, EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.

Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.

Office 2016 and later

Yes, EnableADAL = 0

No

Microsoft Online Sign in Assistant only.

Microsoft Online Sign in Assistant only.

Office 2013

No

No

Microsoft Online Sign in Assistant only.

Microsoft Online Sign in Assistant only.

Office 2013

Yes, EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.

Microsoft Online Sign in Assistant only.