If they switch the tenant over to modern auth what happens with: • New apps that try modern auth first Their assumption is that these will just switch over to modern auth seamlessly (or invoke MFA, CA, etc) • Older apps that have modern auth ‘bolted on’ (Office 2013 with patches) Hoping that these will also fail over seamlessly • Even older apps that don’t know about modern auth (Office 2010)
They’d hope everything fails back to basic auth but They're assuming it will stop working?
Finally, the effects of the change on Outlook behaviour are quite important. They’ve seen Outlook pop up asking for authentication and the user name had to be entered in a specific format to continue (AZUREAD\User@Principal.Name).
They need to make this change on a few tenants and they're worried about the larger ones that have many versions of Office deployed in multiple scenarios. The more information they can get the better.
Enabling Modern auth does nothing with respect to other auth methods, so all clients will continue to work as before. The only difference being that any client capable of (and using) MA will show the new auth UI, or log in the user automatically, depending on the configuration of the tenant/apps.
The AzureAD\UPN format is used with devices joined to Azure AD, which by itself is a different scenario.
If device are domain joined with azure ad sync for the users setup the experience is seamless. If they are azure joined it gets more complicated and you will get the user prompt which is a pain point because you usually have to get it to error out to click the “sign in with another account” then use the same format to get it to take. For whatever reason just typing in the password with the existing login which is displayed correct doesn’t always work.