Blinky's Blog

Enabling Office 365 Modern Authentication (OAuth)

When using office 365 there are a few things that can be done to make using the whole service a little easier. One of these things is enabling and using Modern Authentication (OAuth).

Modern Authentication is Microsoft’s next step to allow a better Single Sign On service using the Open Authorisation standards.

Modern Authentication has been available in Office since Microsoft Office 2013 but by default is disabled. However, in Office 2016 by default is enabled.

(I am going to be focusing on using Office 2016 but the principles are the same for Office 2013. The main difference is that you have to enable Modern Authentication using a registry key before it will work.)

This means that applications like Outlook can connect to services such as Exchange Online using Modern Authentication.

By default Outlook will auto negotiate a connection to Exchange using either Kerberos or NTLM authentication. When connecting to an on-site Exchange this isn’t a problem and will be seamless to the end user.

However when connecting to Exchange Online, Outlook will prompt the user for their username and password. This is because Office 365 does not support Kerberos or NTLM authentication. Therefore, the authentication has to take place using Basic Authentication.

The only option the user has to stop the credentials prompt every time they open Outlook is to click the remember password box. This has the desired effect but has to be done per machine and will also prompt again if the user changes their password. This is due to the credentials being stored on the local machine in the Credential Manager, which doesn’t auto update if a password is changed.

The way to get around this is to use Modern Authentication. So if modern authentication is enabled by default in Office 2016 what’s the problem?

Well the issue is the other end, by default Modern Authentication is disabled in Exchange Online. However, it can be enabled fairly easily using a couple of PowerShell commands. The Microsoft guide to this is Here, however see below for the main steps:

First, open an elevated PowerShell window and type:

[code language="powershell"]$UserCredential = Get-Credential[/code]

This will then bring up a prompt for user credentials. You need to use the credentials of a user who has administrative privileges over your Exchange Online. An Office 365 global administrator will do the trick.

Then run the following command:

[code language="powershell"]$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection[/code]

Followed by this one:

[code language="powershell"]Import-PSSession $Session[/code]

This will then create a connection to your Exchange Online:

Once this connection is made, you can see the state of Modern Authentication by running this command:

[code language="powershell"]Get-OrganizationConfig | Format-Table -Auto Name,OAuth*[/code]

This should come back as ‘False’ meaning that Modern Authentication is disabled.

To enable it we need to run the following command:

[code language="powershell"]Set-OrganizationConfig -OAuth2ClientProfileEnabled $true[/code]

If you run the first command again, you should see that it now says ‘True’:

Now Modern Authentication is enabled on both ends, Outlook can attempt to authenticate with it.

(I have configured Outlook 2016 using a Group Policy called ‘Automatically configure profile based on Active Directory Primary SMTP address’ meaning that the user shouldn’t have to enter any details to create their profile.)

Providing all is well, you should see a box similar to this rather than the dreaded credential prompt:

If you have Single Sign On configured in your environment, you should be able to just click in the password box and you will be signed in automatically. If you don’t, you will need to enter your password manually and click ‘Sign in’:

After a few seconds, it will sign you in and open your Outlook mailbox:

Lastly, another bonus to this is once you have opened and signed into your Outlook, all remaining Office applications will be signed into that account automatically. For example, instead of asking you to sign in at the top right of Word 2016, it will have done so already:

This will also under the Open and Save menus automatically have added any OneDrive or SharePoint sites that are connected to this account:

Now your end users have a more streamlined login process when it comes to connecting Office 2016 with Office 365!

Exit mobile version