SOLVED

Risks when enabling ADAL for Exchange Online and Skype

Iron Contributor

I'm considering enabling ADAL/Oauth for our Office 365 tenant to begin working with MFA, and am using the information in this wiki:

https://social.technet.microsoft.com/wiki/contents/articles/36101.office-365-enable-modern-authentic...

 

It seems relatively trivial to enable this, but I have some reservations about making the change. Does anyone know of risks involved, or any differences that users who don't have MFA enabled might see? Will the current sign in workflow still look the same for everyone? We use the web applications, Office 2016, and iOS and Android applications for access.

 

Thanks!

53 Replies

Daniel,

 

Sorry, I did not specifically address your comment:

 

Modern Authentication should be enabled by default so unless you've disabled it via policy, it should be fine.

 

For whatever reason, Modern Authentication was disabled in our tenant.  I do not know why.  This is the reason I posted this question and why I am concerned.

 

This is a tenant wide change and it seems the behavior of all the clients will change.

 

I opened a case with Microsoft Support, and they told me that MFA App Passwords will no longer function after I enable Modern Authentication on the tenant.  They said that all the users will be immediately prompted to re-enter then passwords and then use their OTP to authentication. 

 

So I am very concerned about this and I do not think that I can enable Modern Authentication now.

 

Thanks again for your help.

 

 

 

 

Modern Auth is only enabled by default on new tenants since Aug 2017. Tenants created before then need to enable it, and the sooner the better, as then you can do seemless MFA (i.e. no app passwords).

If you have already rolled out app passwords for users and on Office 2016 or later then turning on Modern Auth will impact the users, as they will stop needing to use their app passwords and use their proper password. That's an impact to the user.

That said, without app passwords already in use (so no MFA already), if you enable Modern Auth and have SSO enabled (and the correct registry settings and URL in place) then the user will not see the new login box (this will also help if app passwords are used, as the SSO will kick in). Without SSO enabled then the user will see something

Brian,

 

Thanks for confirming.  I really wish that Microsoft did a better job of communicating this significant piece of information about MFA App Passwords not working with Modern Authentication.  I still have not found any Microsoft article or document that explains this.  All articles that I read tell you to use App Passwords with non-browser based clients like Outlook and ActiveSync clients.  If we had checked for this in advance, we would not be in this mess.

 

I do not think that I can turn Modern Authentication on at this point and disrupt all of our users.  If App Passwords would continue to work after enabling Modern Authentication, we could gradually transition our users.

Any articles that discuss app passwords are old and out of date by at least a few years. App passwords matter only when on Outlook 2010 (generally speaking) and older PowerShell modules.

Instead turn on SSO and Modern Authentication and then the user will automatically sign in (if domain joined on the Lan).

Brian,

 

Thanks for the help and advice.

 

Again, I wish that the Microsoft articles were clear on this issue.  If I knew this six months ago, we would not be in this current bad situation.

Joining this topic very late but after hitting an immediate problem with modern authentication in Office 2016 semi-annual (v1803), I wouldn't agree that turning on modern authentication is safe! I've just done a trial this evening after getting permission from the account and the test users immediately his the fault discussed here:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Azure-AD-W10-and-Outlook/td-p/96119

This fault/issue is fixed in the current targeted semi-annual release (v1808) but occurs in the current semi-annual release (v1803 - which most Office 365 users are on). This version was released in July this year so the issue has only been recently fixed. It'll be fixed in the next semi-annual release in January so not that long to wait.
>If we had checked for this in advance, we would not be in this mess.

I feel your pain! My client only has 50 users but I'd shudder to think what a mess you could get into with hundreds of thousands of users.

My take on Office 365 right now is that it's still a mixed up bunch of only just compatible technologies. Getting all the various factions to work together so that all features work with all components at the same time just seems too difficult.

And the MFA disaster on Monday this week makes me glad I didn't push my main client to enable MFA...
An interesting observation. The other take on this is that Microsoft cannot just change everything on a whim to suit the latest changes in their products because their customers expect backward compatibility at nearly any cost. So much so that when impacting changes come out the implementation that you need to put in is completely dependent upon the client and the mix of client or server technologies in use and that is the role the deployment consultant brings to the table. Even if you do the work yourself, experience is necessary.
Yes backwards compatibility is both positive and negative at the same time. Whilst it might sound like one is taking a pop, but I do understand how fiendishly hard it is to move forward when you have a huge incredibly complicated infrastructure where lots of things have to change at the same time for it to be totally successful. Authentication is obviously one of these areas. Just look at how long it's taking to improve email security/combat spam. It's obviously a lot harder when there are 3rd party components in the chain.

But the specific case I mention about Outlook v1803 does annoy somewhat - when Microsoft is in control of *all* the components (Windows, Edge, Office, Skype, SharePoint, Exchange, Azure AD etc), it does surprise me how often one comes across showstopper problems - and how long it takes to fix it.

Edge issues are another area where I'm loosing the plot. I've *tried* to encourage my customers to use Edge (because **bleep** should work better because it's all Microsoft) but increasingly I have to accept it's used to install Chrome :( I even had a support case with Microsoft this week where they suggested I used Chrome for debugging. Rolls eyes!
LOL - like the bleep above. I'd mistakenly added a t before "it". Let's hope Microsoft never introduce a product called after a little bird :)
And Modern Auth is now being rolled out to all tenants apart from those using ADFS. See https://blogs.technet.microsoft.com/exchange/2019/04/01/exchange-online-modern-authentication-and-co... for this and the changes to expect.

@Brian Reid But it still hasn't - and there isn't communication on whether it is 'done' or will 'be done'. 

You can check the setting in Skype for Business Online PowerShell to see if it has changed in your tenant. There is not often communication that a rollout has finished. And then if you are not using ADFS, just enable ADAL for Skype and then again for Exchange. If you have ADFS then you need to change any claims rules you have for Skype and Exchange. If you don't have claims rules then enable ADAL and consider moving to AzureAD SSO instead of ADFS
I have checked :) and its not enabled, not for Exchange Online or Skype 4 Business