We’re less than a month away from disabling basic authentication in Exchange Online. By now your cloud-connected clients should be using modern authentication, but if not, hopefully you’re well on your way to full adoption. If you are not sure what we’re talking about, take a look here; you may have some work to do. As you see the number of basic authentication connections dwindle you may find a small number of clients stubbornly hanging on to basic authentication a little too tightly.
It may be frustrating to find some Outlook for Mac clients that are up to date but still turning up in your sign-in reports as using basic authentication. What can you do?
We wanted to provide some tips for addressing any Outlook for Mac clients that seem to be stuck using basic authentication.
First, verify they really are running a version that supports modern authentication. Client versions 15.20 and later running on macOS 10.14 or higher support modern authentication.
Check to make sure modern authentication hasn’t been disabled. It is enabled by default in 15.20 and later, but there is a setting to disable it. Open the Terminal app and use the commands below to check and re-enable the setting if needed.
Run this command to check the current setting:
defaults read com.microsoft.Outlook DisableModernAuth
- If it is set to 0 (zero, meaning “false”) or you get a message showing the setting does not exist, then modern authentication is enabled.
- If it is set to 1 (one, meaning “true”), then Modern authentication has been disabled, and you can use the next command to re-enable it.
Then, if previous step indicates this is needed, run this command to enable modern authentication:
defaults write com.microsoft.Outlook DisableModernAuth -bool false
Few other things to check:
- Profiles with static application settings can be pushed out by an administrator via device management software, and the authentication type may not show up as disabled in the Terminal setting. You will need to check it by going to System Preferences > Profiles. There, look for an entry that contains the DisableModernAuth setting.
- Check the username in the profile. If it is in NetBIOS format (CONTOSO\jsmith) this will trigger the basic authentication flow. Make sure to use the UPN format instead (jsmith@contoso.com).
- If all the above checks out, recreate the profile (legacy Outlook for Mac) or reset it (New Outlook for Mac, go to Outlook > Preferences > Accounts and then choose the Reset account option from the … menu near the bottom of the Accounts window).
Another factor to consider is that Outlook for Mac relies on the server’s response to decide if it will use basic or modern authentication. Whatever authentication type is used in the initial Autodiscover call will be the authentication type used for the rest of the session. For example, if Outlook for Mac starts with an Autodiscover call to an on-premises Exchange server and uses basic authentication, then it will continue to connect to the cloud mailbox using basic authentication, as well.
The Autodiscover process used by current versions of Outlook for Mac will attempt to connect to Exchange Online before trying an on-premises endpoint, so if a client is stuck using basic authentication, re-creating or re-setting the profile as above should get them to switch to modern authentication.
You can address basic authentication calls to on-premises Autodiscover by enabling Hybrid Modern Authentication in your Exchange environment and go a step further with Exchange Server 2019 and block legacy authentication calls with an authentication policy.
Hopefully that helps you address any lingering Outlook for Mac clients using basic authentication. If you’re stuck and still need help, we recommend opening a support case to troubleshoot further. If you have any other tips on the subject, please let us know.
We wanted to thank Mario Garza Cienfuegos, Michael Green, and Pawan Kapoor from the Outlook Support team for their contributions.
Angélique Conde and Craig Harbold
You Had Me at EHLO.