SOLVED
Home

Modern Auth: Clear as mud

%3CLINGO-SUB%20id%3D%22lingo-sub-393514%22%20slang%3D%22en-US%22%3EModern%20Auth%3A%20Clear%20as%20mud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393514%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20in%20a%20tenant%20where%26nbsp%3B%3CSPAN%20class%3D%22marktv5v7z3uc%22%3EOAuth%3C%2FSPAN%3E%3CSPAN%3E2ClientProfileEnabled%20is%20%24false%2C%20is%20it%20possible%20for%20any%20client%20to%20be%20using%20modern%20authentication%3B%20or%20are%20all%20clients%20limited%20to%20basic%20authentication%26nbsp%3Bprotocols%20only%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOn%20iOS%2C%20when%20connecting%20a%20mailbox%20to%20the%20native%20mail%20app%2C%20with%20the%20above%3CSPAN%20class%3D%22marktv5v7z3uc%22%3EOAuth%3C%2FSPAN%3E2ClientProfileEnabled%20%24false%20configuration%2C%20i%20get%20a%20web%20based%20oauth%20sign%20in%20page.%26nbsp%3B%20This%20indicates%20to%20me%20that%20this%20is%20a%20%22modern%22%20auth%20flow%20even%20though%26nbsp%3B%3CSPAN%20class%3D%22marktv5v7z3uc%22%3EOAuth%3C%2FSPAN%3E2ClientProfileEnabled%20is%20set%20to%20false.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EPlease%20help%20me%20understand.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-393514%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393615%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%3A%20Clear%20as%20mud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393615%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20mentioned%20in%20the%20documentation%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fenable-or-disable-modern-authentication-in-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fenable-or-disable-modern-authentication-in-exchange-online%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22lia-spoiler-container%22%3E%3CA%20class%3D%22lia-spoiler-link%22%20href%3D%22%23%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESpoiler%3C%2FA%3E%3CNOSCRIPT%3E(Highlight%20to%20read)%3C%2FNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-border%22%3E%3CDIV%20class%3D%22lia-spoiler-content%22%3E%0A%3CUL%20style%3D%22margin%3A%2016px%200px%2016px%2038px%3B%20padding%3A%200px%3B%20box-sizing%3A%20inherit%3B%20color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20SegoeUI%2C%20'Segoe%20WP'%2C%20'Helvetica%20Neue'%2C%20Helvetica%2C%20Tahoma%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3E%0A%3CLI%20style%3D%22outline%3A%200px%3B%20box-sizing%3A%20inherit%3B%20list-style%3A%20disc%20outside%20none%3B%22%3E%3CP%20style%3D%22box-sizing%3A%20inherit%3B%20margin-top%3A%201rem%3B%20margin-bottom%3A%200px%3B%22%3EEnabling%20or%20disabling%20modern%20authentication%20in%20Exchange%20Online%20as%20described%20in%20this%20topic%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%20style%3D%22font-weight%3A%20600%3B%20box-sizing%3A%20inherit%3B%22%3Eonly%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eaffects%20modern%20authentication%20connections%20by%20Outlook%202013%20or%20later%20clients.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%20style%3D%22outline%3A%200px%3B%20box-sizing%3A%20inherit%3B%20list-style%3A%20disc%20outside%20none%3B%22%3E%3CP%20style%3D%22box-sizing%3A%20inherit%3B%20margin-top%3A%201rem%3B%20margin-bottom%3A%200px%3B%22%3EOther%20email%20clients%20that%20support%20modern%20authentication%20(for%20example%2C%20Outlook%20Mobile%2C%20Outlook%20for%20Mac%202016%2C%20and%20Exchange%20ActiveSync%20in%20iOS%2011%20or%20later)%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%20style%3D%22font-weight%3A%20600%3B%20box-sizing%3A%20inherit%3B%22%3Ealways%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Euse%20modern%20authentication%20to%20log%20in%20to%20Exchange%20Online%20mailboxes%2C%20regardless%20of%20whether%20you%20enable%20or%20disable%20modern%20authentication%20for%20Outlook%202013%20or%20later%20clients%20as%20described%20in%20this%20topic.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FDIV%3E%3CNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-noscript-container%22%3E%3CDIV%20class%3D%22lia-spoiler-noscript-content%22%3EEnabling%20or%20disabling%20modern%20authentication%20in%20Exchange%20Online%20as%20described%20in%20this%20topic%26nbsp%3Bonly%26nbsp%3Baffects%20modern%20authentication%20connections%20by%20Outlook%202013%20or%20later%20clients.%20Other%20email%20clients%20that%20support%20modern%20authentication%20(for%20example%2C%20Outlook%20Mobile%2C%20Outlook%20for%20Mac%202016%2C%20and%20Exchange%20ActiveSync%20in%20iOS%2011%20or%20later)%26nbsp%3Balways%26nbsp%3Buse%20modern%20authentication%20to%20log%20in%20to%20Exchange%20Online%20mailboxes%2C%20regardless%20of%20whether%20you%20enable%20or%20disable%20modern%20authentication%20for%20Outlook%202013%20or%20later%20clients%20as%20described%20in%20this%20topic.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FNOSCRIPT%3E%3C%2FDIV%3E%3C%2FDIV%3E%0A%3CP%3EAnd%20in%20case%20you've%20missed%20it%3A%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2019%2F04%2F01%2Fexchange-online-modern-authentication-and-conditional-access-updates%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2019%2F04%2F01%2Fexchange-online-modern-authentication-and-conditional-access-updates%2F%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi, in a tenant where OAuth2ClientProfileEnabled is $false, is it possible for any client to be using modern authentication; or are all clients limited to basic authentication protocols only?

 

On iOS, when connecting a mailbox to the native mail app, with the aboveOAuth2ClientProfileEnabled $false configuration, i get a web based oauth sign in page.  This indicates to me that this is a "modern" auth flow even though OAuth2ClientProfileEnabled is set to false.

 

Please help me understand.

1 Reply
Solution

As mentioned in the documentation: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-mo...

 

Spoiler
  • Enabling or disabling modern authentication in Exchange Online as described in this topic only affects modern authentication connections by Outlook 2013 or later clients.

  • Other email clients that support modern authentication (for example, Outlook Mobile, Outlook for Mac 2016, and Exchange ActiveSync in iOS 11 or later) always use modern authentication to log in to Exchange Online mailboxes, regardless of whether you enable or disable modern authentication for Outlook 2013 or later clients as described in this topic.

And in case you've missed it: https://blogs.technet.microsoft.com/exchange/2019/04/01/exchange-online-modern-authentication-and-co...