SOLVED

Risks when enabling ADAL for Exchange Online and Skype

Iron Contributor

I'm considering enabling ADAL/Oauth for our Office 365 tenant to begin working with MFA, and am using the information in this wiki:

https://social.technet.microsoft.com/wiki/contents/articles/36101.office-365-enable-modern-authentic...

 

It seems relatively trivial to enable this, but I have some reservations about making the change. Does anyone know of risks involved, or any differences that users who don't have MFA enabled might see? Will the current sign in workflow still look the same for everyone? We use the web applications, Office 2016, and iOS and Android applications for access.

 

Thanks!

53 Replies

Its pretty seemless. Just be aware that some clients do not support it (such as the native activesync email client on Iphones). In those cases, you have to use app passwords if using Azure MFA.

Eugene,

 

We did go forward with this.  It was very simple.  We chose to warn our users since they got prompted to sign in and we wanted everyone to reboot.  We announced to our users that this would be done early morning on a Tuesday.  It went very smoothly and everyone got their focused inbox and then on Thursday we trainied/demoed focus inbox (and some other features of views in Outlook) via webinar to all our regional offices.

Apologies, should have been a little more specific.

I am curious as to whether or not users who are not MFA enabled will be prompted after enabling Modern Authentication?

Initial role out of MFA is only to a couple of users but they will be the tests for everyone else.

 

-G

 

No, they shouldnt be.

 

In my experience even users without MFA enabled were prompted to sign in again to Outlook.

Hmm, did not see that at all. Only MFA enabled users were requreid to setup their config...Everyone else was fine.

It's true that only MFA enabled users will be prompted to set up their second factor, but that wasn't really the question. The question is what will happen when Azure AD ADAL support is enabled. In my experience all of our users with an Outlook profile configured were prompted to sign in again to Outlook using the new authentication flow.

Hi Matt, what exactly are you referring to when you say "  Azure AD ADAL support is enabled"?

I was referring to the intial comments about enabling Oauth in ExO. After doing that, our users were not prompted to sign in to Outlook again....

My experience was that most users seemed to have to re-sign into outlook.  I am Azure AD connected and my experience was a bit different.  Outlook came up with the username and password prompt but the username listed AzureAD\cstack@jesuits.org.  It would not accept the username until I deleted out the AzureAD.

My experience was that most users seemed to have to re-sign into outlook.  I am Azure AD connected and my experience was a bit different.  Outlook came up with the username and password prompt but the username listed AzureAD\cstack@jesuits.org.  It would not accept the username until I deleted out the AzureAD.

As a precautionary measure we notified all users that they may have to re-credential then went ahead and enabled it modern authentication.

Not sure what the difference in environment was, but we didn't get a single call to help desk, which we normally would have. (We do quite a bit of hand holding here)

We run a hybrid environment if that makes any difference.

 

-G

Hi Eugine,

 

I am working on Enabling MFA for my org which is about 1500 users. I can pass on a few tips that might save you some grief.

 

# Enabling ADAL is something you do globally for Exchange Online and for Skype for Business. Enabling the feature will not break legacy connections (Basic).
# Office 2016 and the lastest SFB client support modern Auth natively. Office 2013 can support it also you must ensure you have it up to date and you must manually add the registry keys below. Office 2010 and Sharepoint 2013 designer (if you use it) do NOT support ADAL and therefor can not be used without an App Password
# iOS 11.01 native mail app does support ADAL but S7 Samsung does not 
#Both Exchange Online and Skype for Business Powershell now support Modern Auth however this will cause an issue for scripts you may have previuously created. (I used an cloud only automation account to get around this)
# Enabling MFA (enforcing 2 factor) caused some issues in our pilot and it was very apparent that Windows must also be up to date. 
# the GUI Bulk add for MFA does not support more than 20 users per upload. (so silly)
--------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Exchange]
"AlwaysUseMSOAuthForAutodiscover"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity]
"Version"=dword:00000001
"EnableADAL"=dword:00000001

-------------------------------

 

 

I hope this gives you some value. having known this ahead of time would have saved me hours of work.

Best of luck

 

 

Very helpful info Ryan, thank you.  Question for you.

 

# iOS 11.01 native mail app does support ADAL but S7 Samsung does not 

 

For the S7 scenario, does this apply to all users, or only users with MFA enabled?  We have BYOD users with mobile devices that are all over the place version-wise, and I'm curious to know if we flip the switch on this, will these users lose access even if they aren't using MFA?

 

Thanks

sorry for the delay.

 

My experience has been only users that have MFA enabled are affected. 

My testing is showing the same, thanks!

I would always recommend advising your users of the change. It's cover for the unpredictable that happens with new implementation. If no one notices, just tell them that you we're on top of it and it was only a precaution  :)

Hi Ryan,

     Just wanted to say: THANK YOU SOOO MUCH!  I've spent over 6 hours trying to figure out why Outlook wouldn't accept my password after enabling MFA.  Then, 4 hours on the phone with Microsoft with no resolution.  Your list of tips helped me get everything all squared away.  The ticket for me was the "EnableADAL"=dword:00000001 registry entry.  Many many thanks!  My next step would have been to rebuild my workstation!  Even after turning off MFA for my account, I was completely locked out of Outlook and couldn't reactivate any O365 Office applications.  You sir, are a HERO! :)

 

Regards,

Bertie Pittman

I know that this is an old thread, and I am hoping someone here is monitoring and will reply.  We have an Office 365 tenant with about 200 users.  Each user has two or more devices, so we have about 500 devices in total.  The clients are mostly Outlook 2016 and the iOS Native Mail Client using ActiveSync EAS.  We have a few other clients including Outlook for Mac, Outlook for iOS, Outlook for Android and the native Android mail client.  We have already implemented MFA for all users and devices. 

 

In addition to Exchange we also use Skype for Business, Onedrive and SharePoint to a limited extent.

 

Unfortunately, I just found out that Modern Authentication is disabled for our entire tenant.  We had assumed that it was enabled since most articles say that it is enabled by default, so we never verified.  In order to make all these clients work with MFA we set them all up with App Passwords. 

 

Recent guidance from Microsoft said that we should disable legacy authentication and only use modern authentication, so we checked the status of the tenant.

 

If I now turn on Modern Authentication now for our tenant, is this going to force all the users to re-enter their passwords on every device?  Do you think that we will also need to push out these registry changes to the Outlook 2016 clients?

 

Any thoughts or advice would be appreciated.

 

Thanks

Hi Jon,

 

I would expect Outlook 2016 to be OK - Modern Authentication should be enabled by default so unless you've disabled it via policy, it should be fine.

 

I believe the native iOS client also supports Modern Authentication, but only starting from iOS11. You may have some issues with older iPhones. I'm afraid I don't have any information surrounding the Android and Mac clients, however I would suggest implementing Outlook for iOS, Android, and Mac across the board as this will give you the best experience as well as additional safety (such as ATP).

 

Thanks

Daniel 

Thanks for the quick response. 

 

Yes, we want to implement and we know that we need to implement. 

 

But my main concern is the potential disruption of having to re-enter passwords and push registry changes to 500 devices, which is substantial.  

 

Since this is a global change for the entire tenant, I do not know of a way to test on a limited basis for different types of clients to understand the impact.