Examine modern authentication for Office apps
Modern authentication is a Microsoft solution based on the Microsoft Authentication Library (MSAL). It applies the Open Authorization (OAuth) standard when an application or client software tries to obtain access tokens from an authentication provider to access resources. Modern authentication enables sign-in features such as:
- Multi-factor authentication (MFA)
- SAML-based third-party Identity Providers with Office client applications
- Smart card authentication
- Certificate-based authentication
Modern authentication also removes the need for Outlook to use the basic authentication protocol.
Modern authentication prerequisites
The default state of modern authentication is turned On by default for the following Microsoft 365 services:
- Exchange Online
- SharePoint Online
- Skype for Business Online
Modern authentication is also automatically turned On for Office 2016 and later client apps.
However, to use modern authentication with Office 2013 client apps, prerequisite software must be installed based on whether you have a Click-to-run based installation or a MSI-based installation. To determine whether your Office installation is Click-to-run or MSI-based, you should complete the following steps:
- Start Outlook 2013.
- On the File menu, choose Office Account.
- For Outlook 2013 Click-to-Run installations, an Update Options item is displayed. For MSI-based installations, the Update Options item isn't displayed.
For detailed information on how to turn on modern authentication for Office 2013 client apps, see Enable Modern Authentication for Office 2013 on Windows devices.
If you're using Active Directory Federation Services (AD FS) 2.0), you should first review the caveats with modern authentication as described in the following article titled Office 2013 and Office 365 ProPlus modern authentication and client access filtering policies: Things to know before onboarding.
Authentication behavior
The rest of this unit examines authentication behavior for Office 2013 and later client apps when they connect with or without modern authentication to Exchange Online, SharePoint Online, and Skype for Business Online.
Exchange Online
The following table describes the authentication behavior for Office 2013 and Office 2016 and later client apps when they connect to Exchange Online with or without modern authentication.
Office client app version
Is the Registry key present?
Is modern authentication turned on?
Authentication behavior with modern authentication turned on for the tenant (default)
Authentication behavior with modern authentication turned off for the tenant
Office 2016 and later
No, or EnableADAL = 1
Yes
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.
Office 2016 and later
Yes, EnableADAL = 1
Yes
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.
Office 2016 and later
Yes, EnableADAL=0
No
Basic authentication
Basic authentication
Office 2013
No
No
Basic authentication
Basic authentication
Office 2013
Yes, EnableADAL = 1
Yes
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.
SharePoint Online
The following table describes the authentication behavior for Office 2013 and Office 2016 and later client apps when they connect to SharePoint Online with or without modern authentication.
Office client app version
Is the Registry key present?
Is modern authentication turned on?
Authentication behavior with modern authentication turned on for the tenant (default)
Authentication behavior with modern authentication turned off for the tenant
Office 2016 and later
No, or EnableADAL = 1
Yes
Modern authentication only.
Failure to connect.
Office 2016 and later
Yes, EnableADAL = 1
Yes
Modern authentication only.
Failure to connect.
Office 2016 and later
Yes, EnableADAL = 0
No
Microsoft Online Sign in Assistant only.
Microsoft Online Sign in Assistant only.
Office 2013
No
No
Microsoft Online Sign in Assistant only.
Microsoft Online Sign in Assistant only.
Office 2013
Yes, EnableADAL = 1
Yes
Modern authentication only.
Failure to connect.
Skype for Business Online
The following table describes the authentication behavior for Office 2013 and Office 2016 and later client apps when they connect to Skype for Business Online with or without modern authentication.
Office client app version
Is the Registry key present?
Is modern authentication turned on?
Authentication behavior with modern authentication turned on for the tenant
Authentication behavior with modern authentication turned off for the tenant (default)
Office 2016 and later
No, or EnableADAL = 1
Yes
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.
Office 2016 and later
Yes, EnableADAL = 1
Yes
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.
Office 2016 and later
Yes, EnableADAL = 0
No
Microsoft Online Sign in Assistant only.
Microsoft Online Sign in Assistant only.
Office 2013
No
No
Microsoft Online Sign in Assistant only.
Microsoft Online Sign in Assistant only.
Office 2013
Yes, EnableADAL = 1
Yes
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.
Microsoft Online Sign in Assistant only.