Home
%3CLINGO-SUB%20id%3D%22lingo-sub-609306%22%20slang%3D%22en-US%22%3EExchange%20Online%20-%20Modern%20Authentication%20and%20Conditional%20Access%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-609306%22%20slang%3D%22en-US%22%3E%3CP%3EWe%E2%80%99re%20constantly%20improving%20the%20security%20of%20Office%20365%20products%20and%20services.%20Modern%20Authentication%20and%20Conditional%20Access%20are%20two%20of%20the%20best%20ways%20of%20ensuring%20that%20your%20clients%20can%20take%20advantage%20of%20authentication%20features%20like%20multi-factor%20authentication%20(MFA)%2C%20third-party%20SAML%20identity%20providers%2C%20and%20are%20implementing%20automated%20access%20control%20decisions%20for%20accessing%20your%20cloud%20apps%20based%20on%20conditions.%20Firstly%2C%20here%E2%80%99s%20some%20news%20about%20Modern%20Authentication.%20As%20you%20might%20already%20know%2C%20all%20new%20Office%20365%20tenants%20created%20on%20or%20after%20August%201%2C%202017%20have%20Modern%20Authentication%20enabled%20by%20default%20in%20Exchange%20Online%20for%20all%20clients.%20Today%2C%20we%E2%80%99re%20announcing%20that%20%3CB%3EModern%20Authentication%20will%20soon%20be%20enabled%20for%20the%20Windows%20Outlook%20client%20and%20Skype%20for%20Business%20client%20in%20all%20managed%20(non-federated)%20tenants%3C%2FB%3E%20that%20were%20created%20before%20to%20August%201%2C%202017.%20Those%20tenants%20already%20have%20Modern%20Authentication%20enabled%20for%20Outlook%20mobile%2C%20Outlook%20for%20Mac%20and%20Outlook%20on%20the%20Web%2C%20so%20there%20are%20no%20changes%20to%20any%20of%20those%20clients.%3C%2FP%3E%3CH3%20id%3D%22toc-hId-1562856280%22%20id%3D%22toc-hId-1570005247%22%3EWhat%20does%20it%20mean%20to%20be%20a%20%E2%80%98managed%20tenant%E2%80%99%3F%3C%2FH3%3EIf%20you%20use%20Password%20Hash%20Sync%2C%20Pass-Through%20Authentication%2C%20or%20you%20create%2C%20manage%20and%20authenticate%20your%20user%20identities%20directly%20in%20the%20cloud%2C%20your%20tenant%20is%20considered%20a%20%E2%80%98managed%20tenant%E2%80%99%20%E2%80%93%20and%20this%20change%20affects%20you.%20If%20your%20still%20create%2C%20manage%20and%20authenticate%20your%20identities%20in%20your%20on-premises%20Active%20Directory%2C%20and%20you%20use%20ADFS%20or%20some%20other%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20iDP%20to%20authenticate%20your%20users%20%E2%80%93%20your%20tenant%20will%20%3CB%3Enot%3C%2FB%3E%20be%20affected%20by%20this%20change.%3CH3%20id%3D%22toc-hId--989300681%22%20id%3D%22toc-hId--982151714%22%3EWill%20my%20user%20experience%20be%20different%3F%3C%2FH3%3EThis%20change%20affects%20the%20dialog%20users%20will%20see%20when%20requesting%20their%20credentials.%20They%20used%20to%20see%20the%20following%20prompt%20(the%20exact%20dialog%20depends%20upon%20the%20OS%20of%20the%20client%2C%20but%20this%20should%20be%20similar%20enough%20to%20help%20you%20identify%20it)%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Flegacyfs%2Fonline%2Fmedia%2F2019%2F04%2FMApost1.jpg%22%20target%3D%22_blank%22%3E%3CIMG%20width%3D%22420%22%20height%3D%22264%22%20title%3D%22MApost1%22%20style%3D%22border%3A%200px%20currentcolor%22%20alt%3D%22MApost1%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Flegacyfs%2Fonline%2Fmedia%2F2019%2F04%2FMApost1_thumb.jpg%22%20border%3D%220%22%20class%3D%22%22%20%2F%3E%3C%2FA%3E%20Now%20they%20will%20see%20the%20following%20prompt%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Flegacyfs%2Fonline%2Fmedia%2F2019%2F04%2FMApost2.jpg%22%20target%3D%22_blank%22%3E%3CIMG%20width%3D%22421%22%20height%3D%22528%22%20title%3D%22MApost2%22%20style%3D%22border%3A%200px%20currentcolor%22%20alt%3D%22MApost2%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Flegacyfs%2Fonline%2Fmedia%2F2019%2F04%2FMApost2_thumb.jpg%22%20border%3D%220%22%20class%3D%22%22%20%2F%3E%3C%2FA%3E%3CH3%20id%3D%22toc-hId-753509654%22%20id%3D%22toc-hId-760658621%22%3EHow%20does%20this%20change%20authentication%3F%3C%2FH3%3EFrom%20the%20user%E2%80%99s%20perspective%2C%20it%E2%80%99s%20just%20a%20dialog%20change.%20From%20a%20security%20perspective%2C%20the%20client%20is%20now%20using%20OAuth%20(not%20Basic%20Auth)%20to%20authenticate.%3CH3%20id%3D%22toc-hId--1798647307%22%20id%3D%22toc-hId--1791498340%22%3EWhat%E2%80%99s%20better%20about%20that%3F%20Why%20do%20I%20care%3F%3C%2FH3%3ESwitching%20to%20Modern%20Authentication%20(even%20if%20it%E2%80%99s%20used%20just%20for%20username%20and%20password)%20is%20more%20secure%20than%20using%20Basic%20Auth.%20Modern%20Authentication%20is%20not%20subject%20to%20credential%20capture%20and%20re-use%2C%20credentials%20are%20not%20stored%20on%20the%20client%20device%2C%20it%20ensures%20users%20re-authenticate%20when%20something%20about%20their%20connection%20or%20state%20changes%2C%20and%20it%20makes%20adding%20MFA%20simple.%3CH3%20id%3D%22toc-hId--55836972%22%20id%3D%22toc-hId--48688005%22%3EWhat%20do%20I%20need%20to%20do%20as%20an%20Admin%3F%3C%2FH3%3ENothing.%20Nothing%20at%20all%2C%20well%20except%20perhaps%20one%20thing%3A%20help%20your%20users%20understand%20that%20this%20new%20dialog%20means%20their%20connection%20to%20Office%20365%20is%20even%20more%20secure%20than%20it%20was%20before.%20Feel%20free%20to%20take%20the%20credit%20for%20that%3B%20tell%20them%20you%20changed%20it%20to%20increase%20their%20security%3B%20we%20don%E2%80%99t%20mind.%20The%20next%20thing%20to%20do%20is%20to%20start%20thinking%20about%20enabling%20MFA%20and%20Conditional%20Access%2C%20to%20make%20those%20connections%20even%20more%20secure.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2F%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EHere%E2%80%99s%3C%2FA%3E%20a%20great%20place%20to%20start%20finding%20out%20more.%20Speaking%20of%20Conditional%20Access%2C%20that%20leads%20us%20to%20the%20next%20thing%20we%20wanted%20to%20announce%3A%20we%E2%80%99re%20making%20some%20changes%20there%20too%2C%20specifically%20related%20to%20Exchange%20ActiveSync%20(EAS).%3CH2%20id%3D%22toc-hId-1883486868%22%20id%3D%22toc-hId-1890635835%22%3EWe%E2%80%99re%20making%20a%20change%20to%20ensure%20that%20EAS%20connections%20will%20be%20evaluated%20against%20previously%20unsupported%20conditions%20within%20Conditional%20Access%20(CA).%3C%2FH2%3EAs%20you%20might%20know%2C%20many%20conditions%20that%20are%20available%20in%20CA%20policies%20have%20not%20been%20supported%20for%20EAS.%20These%20include%20country%2C%20named%20locations%2C%20sign-in%20risk%2C%20and%20device%20platform.%20Currently%2C%20if%20you%20include%20any%20of%20these%20conditions%20in%20a%20policy%20that%20targets%20EAS%2C%20that%20condition%20is%20%3CB%3E%3CI%3Ealways%3C%2FI%3E%3C%2FB%3E%20enforced.%20For%20example%2C%20a%20policy%20to%20require%20a%20compliant%20device%20outside%20of%20the%20corporate%20network%20would%20%3CB%3E%3CI%3Ealways%3C%2FI%3E%20%3C%2FB%3Eapply%20(independent%20of%20the%20user%E2%80%99s%20location).%20The%20below%20shows%20how%20the%20admin%20would%20enable%20the%20client%20app%20condition%20used%20to%20target%20CA%20policy%20to%20EAS%20clients.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Flegacyfs%2Fonline%2Fmedia%2F2019%2F04%2FMApost3.jpg%22%20target%3D%22_blank%22%3E%3CIMG%20width%3D%22338%22%20height%3D%22391%22%20title%3D%22MApost3%22%20style%3D%22border%3A%200px%20currentcolor%22%20alt%3D%22MApost3%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Flegacyfs%2Fonline%2Fmedia%2F2019%2F04%2FMApost3_thumb.jpg%22%20border%3D%220%22%20class%3D%22%22%20%2F%3E%3C%2FA%3E%20The%20change%20we%20have%20made%20ensures%20that%20CA%20policy%20applied%20to%20EAS%20correctly%20honors%20previously%20configured%20conditions.%20You%20may%20see%20some%20cases%20where%20EAS%20may%20begin%20to%20work%20where%20it%20was%20previously%20blocked.%20So%2C%20if%20you%20have%20CA%20policies%20today%20that%20block%20EAS%20traffic%20%3CI%3Ebecause%20a%20condition%20is%20not%20supported%3C%2FI%3E%2C%20we%20advise%20you%20inspect%20and%20remove%20any%20of%20the%20unsupported%20conditions%20from%20policy.%20For%20example%2C%20suppose%20you%20previously%20configured%20the%20following%20policy%3A%20%E2%80%9CBlock%20all%20EAS%20traffic%20from%20French%20Guyana%E2%80%9D.%20Today%20%3CB%3E%3CI%3Eall%3C%2FI%3E%3C%2FB%3E%20EAS%20traffic%20is%20blocked.%20If%20you%20are%20relying%20on%20a%20rule%20like%20that%20to%20block%20all%20EAS%20traffic%2C%20you%20need%20to%20re-think%20your%20strategy.%20With%20the%20change%20we%20are%20making%2C%20%3CI%3Eonly%3C%2FI%3E%20the%20EAS%20traffic%20from%20French%20Guyana%20will%20be%20blocked.%20We%E2%80%99re%20sure%20that%20you%20find%20this%20behavior%20more%20logical%2C%20but%20we%20wanted%20to%20make%20sure%20you%20were%20aware%20of%20the%20change.%20So%2C%20it%E2%80%99s%20worth%20checking%20your%20existing%20CA%20policies%20to%20make%20sure%20you%20don%E2%80%99t%20have%20rules%20that%20might%20be%20affected%20by%20this%20change.%20Other%20than%20this%2C%20we%20don%E2%80%99t%20expect%20any%20other%20change%20in%20behavior%3A%20EAS%20clients%20should%20still%20receive%20quarantine%20email%20when%20they%20don%E2%80%99t%20meet%20the%20CA%20policy%20requirements%3B%20otherwise%20they%20will%20get%20email%20access%20just%20as%20they%20do%20today.%20We%20really%20do%20treat%20the%20security%20of%20our%20service%20and%20the%20protection%20of%20your%20data%20as%20our%20primary%20concern.%20Please%20leave%20any%20comments%20or%20feedback%2C%20and%20thanks%20for%20reading!%20%3CSPAN%20class%3D%22author%22%3EThe%20Exchange%20Team%3C%2FSPAN%3E%3C%2FLINGO-BODY%3E

We’re constantly improving the security of Office 365 products and services. Modern Authentication and Conditional Access are two of the best ways of ensuring that your clients can take advantage of authentication features like multi-factor authentication (MFA), third-party SAML identity providers, and are implementing automated access control decisions for accessing your cloud apps based on conditions. Firstly, here’s some news about Modern Authentication. As you might already know, all new Office 365 tenants created on or after August 1, 2017 have Modern Authentication enabled by default in Exchange Online for all clients. Today, we’re announcing that Modern Authentication will soon be enabled for the Windows Outlook client and Skype for Business client in all managed (non-federated) tenants that were created before to August 1, 2017. Those tenants already have Modern Authentication enabled for Outlook mobile, Outlook for Mac and Outlook on the Web, so there are no changes to any of those clients.

What does it mean to be a ‘managed tenant’?

If you use Password Hash Sync, Pass-Through Authentication, or you create, manage and authenticate your user identities directly in the cloud, your tenant is considered a ‘managed tenant’ – and this change affects you. If your still create, manage and authenticate your identities in your on-premises Active Directory, and you use ADFS or some other 3rd party iDP to authenticate your users – your tenant will not be affected by this change.

Will my user experience be different?

This change affects the dialog users will see when requesting their credentials. They used to see the following prompt (the exact dialog depends upon the OS of the client, but this should be similar enough to help you identify it): MApost1 Now they will see the following prompt: MApost2

How does this change authentication?

From the user’s perspective, it’s just a dialog change. From a security perspective, the client is now using OAuth (not Basic Auth) to authenticate.

What’s better about that? Why do I care?

Switching to Modern Authentication (even if it’s used just for username and password) is more secure than using Basic Auth. Modern Authentication is not subject to credential capture and re-use, credentials are not stored on the client device, it ensures users re-authenticate when something about their connection or state changes, and it makes adding MFA simple.

What do I need to do as an Admin?

Nothing. Nothing at all, well except perhaps one thing: help your users understand that this new dialog means their connection to Office 365 is even more secure than it was before. Feel free to take the credit for that; tell them you changed it to increase their security; we don’t mind. The next thing to do is to start thinking about enabling MFA and Conditional Access, to make those connections even more secure. Here’s a great place to start finding out more. Speaking of Conditional Access, that leads us to the next thing we wanted to announce: we’re making some changes there too, specifically related to Exchange ActiveSync (EAS).

We’re making a change to ensure that EAS connections will be evaluated against previously unsupported conditions within Conditional Access (CA).

As you might know, many conditions that are available in CA policies have not been supported for EAS. These include country, named locations, sign-in risk, and device platform. Currently, if you include any of these conditions in a policy that targets EAS, that condition is always enforced. For example, a policy to require a compliant device outside of the corporate network would always apply (independent of the user’s location). The below shows how the admin would enable the client app condition used to target CA policy to EAS clients. MApost3 The change we have made ensures that CA policy applied to EAS correctly honors previously configured conditions. You may see some cases where EAS may begin to work where it was previously blocked. So, if you have CA policies today that block EAS traffic because a condition is not supported, we advise you inspect and remove any of the unsupported conditions from policy. For example, suppose you previously configured the following policy: “Block all EAS traffic from French Guyana”. Today all EAS traffic is blocked. If you are relying on a rule like that to block all EAS traffic, you need to re-think your strategy. With the change we are making, only the EAS traffic from French Guyana will be blocked. We’re sure that you find this behavior more logical, but we wanted to make sure you were aware of the change. So, it’s worth checking your existing CA policies to make sure you don’t have rules that might be affected by this change. Other than this, we don’t expect any other change in behavior: EAS clients should still receive quarantine email when they don’t meet the CA policy requirements; otherwise they will get email access just as they do today. We really do treat the security of our service and the protection of your data as our primary concern. Please leave any comments or feedback, and thanks for reading! The Exchange Team
31 Comments
Not applicable
Is this an aprils fool or is this announcement just be done at an unfortunate date?
Not applicable
Oh it's for real, just unfortunate timing, but we wanted to get the message out asap.
Not applicable
Greg, how do we not know that your comment isn't also part of the April Fool's gag?
Not applicable
Does the EAS change go into effect immediately? Or is it rolling out? What's the time frame?
Not applicable
It's slowly rolling out now.
Not applicable
The EAS change has started rolling out and we've sent Message Center posts to all tenants we believe might see an impact based on their existing policies. So check Message Center.
Not applicable
What indicators will we have to know this change has rolled out to our tenant?
Not applicable
We’ve had a ton of issues with needing to reinstall Office or reconnect users to Azure Ad based on a recent change to modern authentication. What changed in the last six weeks to make this change as seamless as you’re saying it will be?
Not applicable
Hi StuBeck,

We saw an issue when we turned on Modern Auth for an older tenant where a very small set of users received a login prompt which was caused by the account logged into Office ProPlus (via the File > Office Account tab). It was only a few users but we just had to remove their creds from Credential Manager and have them log back in. Then the prompts were resolved.

Not applicable
Did you raise a support incident for the issues? You should if not, we're not aware of anything in particular that might explain the issues you describe.
Not applicable
Will on premises mailboxes in hybrid environments be able to take advantage of this?
Not applicable
This doesn't apply to on-premises mailboxes, only this in Exchange Online.
Not applicable
Is it only for Office 365 installs of Outlook or will Outlook 2016 MSI versions also be able to utilise this?
Not applicable
Outlook 2016 MSI/Perpetual supports MA, so it will work for that client too.
Not applicable
Out tenant has approx 30 different domains associated with it. Some of the domains are Managed (Password Hash sync or Cloud Only identities which authenticate directly in the cloud) and others are Federated and authenticate against an on-premise AD using ADFS. So - we have a foot in each camp......how will this change affect us?
Not applicable
If you have multiple domains, some managed, some federated, we'll treat your tenant as federated. No changes will take place at this time.
Not applicable
What does this mean for Outlook 2010 clients which while still possibly not supported still work with O365?
Not applicable
There's no impact to Outlook 2010, as it can't trigger the Modern Auth flow.
Not applicable
In order for the update for EAS in Conditional Access does the tenant have to be managed or does this change take affect into a federated environment as well?
Not applicable
The EAS change will happen for all tenants, managed auth or federated.
Not applicable
How do I opt out, prevent or delay this change from happening? I do not want modern authentication enabled on my tenant.
Not applicable
We have multi factor authentication enabled and app passwords deployed to about 500 devices (Outlook 2016 and iOS mail). Enabling modern authentication for the tenant is going break all of our devices. I need a way to roll this out gradually without disrupting our users.
Not applicable
So this means all users will suffer the awful "Use this account everywhere on your device" additional prompt when they log in. Can we supress this and set it to Never?
Not applicable
My tech support rep says that EAS conditional policies that check against device compliance are not supported.

For example, a policy that blocks was except on compliant devices. Is this true and will this change with this rollout?

Not applicable
What is the timeframe for rolling out the modern auth. change to older tenants?

We would like to be able to enable this feature our self, and not just out of the blue by Microsoft.

So I need to know how much time we got before this feature is rolled out?

Deleted
Not applicable

We have a managed O365 tenant created before Aug2017, with MFA already enabled on many users, with app passwords on Windows Outlook 2016.

 

Please i need an answer, if this change will affect these users or not. Will Outlook client pop up this prompt that will ask for users' real passwords the time that Microsoft will roll out this change?

 

BR

New Contributor

Any update on this change (Modern Authentication) ? Our tenant has not recieved the change yet - and I'm wondering whether I need to enable it myself or just wait a bit and let it happen.

Occasional Visitor

I encourage all to utilize the M365 Message Center to monitor for change. If its not been communicated via the message center then its likely still under dev.
Some additional unsolicited guidance: MS has a great tool for the M365 Roadmap
Have fun!!

Occasional Visitor

Hi,

We create and manage our users at our on-prem AD but it is synced up to O365 and we use Azure MFA.

Are we going to get the Modern Authentication for "Outlook for Office 365 MSO"?

How is this going to affect users with MFA already enabled with an App Password for Outlook?

Thank you!

Andras

Occasional Visitor

There is a demand by our leadership that we enable MFA for the outlook 2016 Fat Client.  We already do this for OWA and ECP by redirecting to on prem ADFS to our internal IDP.  

1. We are 100% on prem.  0 hybrid.  Yes there are plans, but during the scope of this demand.

2. I ensured that all my VD are setup of Modern Auth.  OAUTH is available.

3.  Setting RPC does not allow for OAUTH???

4. I have validated the OAUTH cert Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint

5. I have configured exchange online [PS] C:\Windows\system32>Get-PartnerApplication "Exchange Online"

and enabled is set to $TRUE

6.  The organizationconfig for oauth2 is set to $TRUE

7.  We are only going to allow 2016 and block older versions.   ADAL support is on by default.

 

Questions:

1. When I set MFA for OWA and ECP there was an ADFS issuer that I pointed exchange two.  Where is this for MAPI.  

2. How do I redirect authentication for MAPI

3.  I know AAD and HYBRID scenarios this can be done.  Can a 100% ON PREM  accomplish this.

@jsdao - that's a lot of q's. Let me try and answer them;

 

OAuth won't work with RPC/HTTP - only MAPI/HTTP.

 

You HAVE to be Hybrid with O365 for Hybrid Modern Auth to work. It will not work direct against on-prem ADFS in the same OWA does. 

 

Your 3 questions;

1. It's not done the same way. It's done by enabling an Auth Server at the Org level, and setting it to the default Auth provider. 

2. By doing step #1. 

3. No. It cannot.