SOLVED

Risks when enabling ADAL for Exchange Online and Skype

%3CLINGO-SUB%20id%3D%22lingo-sub-60756%22%20slang%3D%22en-US%22%3ERisks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60756%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20considering%20enabling%20ADAL%2FOauth%20for%20our%20Office%20365%20tenant%20to%20begin%20working%20with%20MFA%2C%20and%20am%20using%20the%20information%20in%20this%20wiki%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F36101.office-365-enable-modern-authentication.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F36101.office-365-enable-modern-authentication.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20relatively%20trivial%20to%20enable%20this%2C%20but%20I%20have%20some%20reservations%20about%20making%20the%20change.%20Does%20anyone%20know%20of%20risks%20involved%2C%20or%20any%20differences%20that%20users%20who%20don't%20have%20MFA%20enabled%20might%20see%3F%20Will%20the%20current%20sign%20in%20workflow%20still%20look%20the%20same%20for%20everyone%3F%20We%20use%20the%20web%20applications%2C%20Office%202016%2C%20and%20iOS%20and%20Android%20applications%20for%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-60756%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394090%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394090%22%20slang%3D%22en-US%22%3EAnd%20Modern%20Auth%20is%20now%20being%20rolled%20out%20to%20all%20tenants%20apart%20from%20those%20using%20ADFS.%20See%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2019%2F04%2F01%2Fexchange-online-modern-authentication-and-conditional-access-updates%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2019%2F04%2F01%2Fexchange-online-modern-authentication-and-conditional-access-updates%2F%3C%2FA%3E%20for%20this%20and%20the%20changes%20to%20expect.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290783%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290783%22%20slang%3D%22en-US%22%3ELOL%20-%20like%20the%20bleep%20above.%20I'd%20mistakenly%20added%20a%20t%20before%20%22it%22.%20Let's%20hope%20Microsoft%20never%20introduce%20a%20product%20called%20after%20a%20little%20bird%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290782%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290782%22%20slang%3D%22en-US%22%3EYes%20backwards%20compatibility%20is%20both%20positive%20and%20negative%20at%20the%20same%20time.%20Whilst%20it%20might%20sound%20like%20one%20is%20taking%20a%20pop%2C%20but%20I%20do%20understand%20how%20fiendishly%20hard%20it%20is%20to%20move%20forward%20when%20you%20have%20a%20huge%20incredibly%20complicated%20infrastructure%20where%20lots%20of%20things%20have%20to%20change%20at%20the%20same%20time%20for%20it%20to%20be%20totally%20successful.%20Authentication%20is%20obviously%20one%20of%20these%20areas.%20Just%20look%20at%20how%20long%20it's%20taking%20to%20improve%20email%20security%2Fcombat%20spam.%20It's%20obviously%20a%20lot%20harder%20when%20there%20are%203rd%20party%20components%20in%20the%20chain.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20the%20specific%20case%20I%20mention%20about%20Outlook%20v1803%20does%20annoy%20somewhat%20-%20when%20Microsoft%20is%20in%20control%20of%20*all*%20the%20components%20(Windows%2C%20Edge%2C%20Office%2C%20Skype%2C%20SharePoint%2C%20Exchange%2C%20Azure%20AD%20etc)%2C%20it%20does%20surprise%20me%20how%20often%20one%20comes%20across%20showstopper%20problems%20-%20and%20how%20long%20it%20takes%20to%20fix%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EEdge%20issues%20are%20another%20area%20where%20I'm%20loosing%20the%20plot.%20I've%20*tried*%20to%20encourage%20my%20customers%20to%20use%20Edge%20(because%20**bleep**%20should%20work%20better%20because%20it's%20all%20Microsoft)%20but%20increasingly%20I%20have%20to%20accept%20it's%20used%20to%20install%20Chrome%20%3A(%3C%2Fimg%3E%20I%20even%20had%20a%20support%20case%20with%20Microsoft%20this%20week%20where%20they%20suggested%20I%20used%20Chrome%20for%20debugging.%20Rolls%20eyes!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290738%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290738%22%20slang%3D%22en-US%22%3EAn%20interesting%20observation.%20The%20other%20take%20on%20this%20is%20that%20Microsoft%20cannot%20just%20change%20everything%20on%20a%20whim%20to%20suit%20the%20latest%20changes%20in%20their%20products%20because%20their%20customers%20expect%20backward%20compatibility%20at%20nearly%20any%20cost.%20So%20much%20so%20that%20when%20impacting%20changes%20come%20out%20the%20implementation%20that%20you%20need%20to%20put%20in%20is%20completely%20dependent%20upon%20the%20client%20and%20the%20mix%20of%20client%20or%20server%20technologies%20in%20use%20and%20that%20is%20the%20role%20the%20deployment%20consultant%20brings%20to%20the%20table.%20Even%20if%20you%20do%20the%20work%20yourself%2C%20experience%20is%20necessary.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290731%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290731%22%20slang%3D%22en-US%22%3E%26gt%3BIf%20we%20had%20checked%20for%20this%20in%20advance%2C%20we%20would%20not%20be%20in%20this%20mess.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20feel%20your%20pain!%20My%20client%20only%20has%2050%20users%20but%20I'd%20shudder%20to%20think%20what%20a%20mess%20you%20could%20get%20into%20with%20hundreds%20of%20thousands%20of%20users.%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20take%20on%20Office%20365%20right%20now%20is%20that%20it's%20still%20a%20mixed%20up%20bunch%20of%20only%20just%20compatible%20technologies.%20Getting%20all%20the%20various%20factions%20to%20work%20together%20so%20that%20all%20features%20work%20with%20all%20components%20at%20the%20same%20time%20just%20seems%20too%20difficult.%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20the%20MFA%20disaster%20on%20Monday%20this%20week%20makes%20me%20glad%20I%20didn't%20push%20my%20main%20client%20to%20enable%20MFA...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290730%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290730%22%20slang%3D%22en-US%22%3EJoining%20this%20topic%20very%20late%20but%20after%20hitting%20an%20immediate%20problem%20with%20modern%20authentication%20in%20Office%202016%20semi-annual%20(v1803)%2C%20I%20wouldn't%20agree%20that%20turning%20on%20modern%20authentication%20is%20safe!%20I've%20just%20done%20a%20trial%20this%20evening%20after%20getting%20permission%20from%20the%20account%20and%20the%20test%20users%20immediately%20his%20the%20fault%20discussed%20here%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory%2FAzure-AD-W10-and-Outlook%2Ftd-p%2F96119%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory%2FAzure-AD-W10-and-Outlook%2Ftd-p%2F96119%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20fault%2Fissue%20is%20fixed%20in%20the%20current%20targeted%20semi-annual%20release%20(v1808)%20but%20occurs%20in%20the%20current%20semi-annual%20release%20(v1803%20-%20which%20most%20Office%20365%20users%20are%20on).%20This%20version%20was%20released%20in%20July%20this%20year%20so%20the%20issue%20has%20only%20been%20recently%20fixed.%20It'll%20be%20fixed%20in%20the%20next%20semi-annual%20release%20in%20January%20so%20not%20that%20long%20to%20wait.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285134%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285134%22%20slang%3D%22en-US%22%3E%3CP%3EBrian%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20help%20and%20advice.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAgain%2C%20I%20wish%20that%20the%20Microsoft%20articles%20were%20clear%20on%20this%20issue.%26nbsp%3B%20If%20I%20knew%20this%20six%20months%20ago%2C%20we%20would%20not%20be%20in%20this%20current%20bad%20situation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285095%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285095%22%20slang%3D%22en-US%22%3EAny%20articles%20that%20discuss%20app%20passwords%20are%20old%20and%20out%20of%20date%20by%20at%20least%20a%20few%20years.%20App%20passwords%20matter%20only%20when%20on%20Outlook%202010%20(generally%20speaking)%20and%20older%20PowerShell%20modules.%3CBR%20%2F%3E%3CBR%20%2F%3EInstead%20turn%20on%20SSO%20and%20Modern%20Authentication%20and%20then%20the%20user%20will%20automatically%20sign%20in%20(if%20domain%20joined%20on%20the%20Lan).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285017%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285017%22%20slang%3D%22en-US%22%3E%3CP%3EBrian%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20confirming.%26nbsp%3B%20I%20really%20wish%20that%20Microsoft%20did%20a%20better%20job%20of%20communicating%20this%20significant%20piece%20of%20information%20about%20MFA%20App%20Passwords%20not%20working%20with%20Modern%20Authentication.%26nbsp%3B%20I%20still%20have%20not%20found%20any%20Microsoft%20article%20or%20document%20that%20explains%20this.%26nbsp%3B%26nbsp%3BAll%20articles%20that%20I%20read%20tell%20you%20to%20use%20App%20Passwords%20with%20non-browser%20based%20clients%20like%26nbsp%3BOutlook%20and%20ActiveSync%20clients.%26nbsp%3B%20If%20we%20had%20checked%20for%20this%20in%20advance%2C%20we%20would%20not%20be%20in%20this%20mess.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20not%20think%20that%20I%20can%20turn%26nbsp%3BModern%20Authentication%26nbsp%3Bon%20at%20this%20point%20and%20disrupt%20all%20of%20our%20users.%26nbsp%3B%20If%20App%20Passwords%20would%20continue%20to%20work%20after%20enabling%20Modern%20Authentication%2C%20we%20could%20gradually%20transition%20our%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285014%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285014%22%20slang%3D%22en-US%22%3EModern%20Auth%20is%20only%20enabled%20by%20default%20on%20new%20tenants%20since%20Aug%202017.%20Tenants%20created%20before%20then%20need%20to%20enable%20it%2C%20and%20the%20sooner%20the%20better%2C%20as%20then%20you%20can%20do%20seemless%20MFA%20(i.e.%20no%20app%20passwords).%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20have%20already%20rolled%20out%20app%20passwords%20for%20users%20and%20on%20Office%202016%20or%20later%20then%20turning%20on%20Modern%20Auth%20will%20impact%20the%20users%2C%20as%20they%20will%20stop%20needing%20to%20use%20their%20app%20passwords%20and%20use%20their%20proper%20password.%20That's%20an%20impact%20to%20the%20user.%20%3CBR%20%2F%3E%3CBR%20%2F%3EThat%20said%2C%20without%20app%20passwords%20already%20in%20use%20(so%20no%20MFA%20already)%2C%20if%20you%20enable%20Modern%20Auth%20and%20have%20SSO%20enabled%20(and%20the%20correct%20registry%20settings%20and%20URL%20in%20place)%20then%20the%20user%20will%20not%20see%20the%20new%20login%20box%20(this%20will%20also%20help%20if%20app%20passwords%20are%20used%2C%20as%20the%20SSO%20will%20kick%20in).%20Without%20SSO%20enabled%20then%20the%20user%20will%20see%20something%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-284891%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-284891%22%20slang%3D%22en-US%22%3E%3CP%3EDaniel%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%2C%20I%20did%20not%20specifically%20address%20your%20comment%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EModern%20Authentication%20should%20be%20enabled%20by%20default%20so%20unless%20you've%20disabled%20it%20via%20policy%2C%20it%20should%20be%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20whatever%20reason%2C%20Modern%20Authentication%20was%20disabled%20in%20our%20tenant.%26nbsp%3B%20I%20do%20not%20know%20why.%26nbsp%3B%20This%20is%20the%20reason%20I%20posted%20this%20question%20and%20why%20I%20am%20concerned.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20tenant%20wide%20change%20and%20it%20seems%20the%20behavior%20of%20all%20the%20clients%20will%20change.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20opened%20a%20case%20with%20Microsoft%20Support%2C%20and%20they%20told%20me%20that%20MFA%20App%20Passwords%20will%20no%20longer%20function%20after%20I%20enable%20Modern%20Authentication%20on%20the%20tenant.%26nbsp%3B%20They%20said%20that%20all%20the%20users%20will%20be%20immediately%20prompted%20to%20re-enter%20then%20passwords%20and%20then%20use%20their%20OTP%20to%20authentication.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20am%20very%20concerned%20about%20this%20and%20I%20do%20not%20think%20that%20I%20can%20enable%20Modern%20Authentication%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20your%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-280346%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280346%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20quick%20response.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20we%20want%20to%20implement%20and%20we%20know%20that%20we%20need%20to%20implement.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20my%20main%20concern%20is%20the%20potential%20disruption%20of%20having%20to%20re-enter%20passwords%20and%20push%20registry%20changes%20to%20500%20devices%2C%20which%20is%20substantial.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20this%20is%20a%20global%20change%20for%20the%20entire%20tenant%2C%20I%20do%20not%20know%20of%20a%20way%20to%20test%20on%20a%20limited%20basis%20for%20different%20types%20of%20clients%20to%20understand%20the%20impact.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-280345%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280345%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jon%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20expect%20Outlook%202016%20to%20be%20OK%20-%20Modern%20Authentication%20should%20be%20enabled%20by%20default%20so%20unless%20you've%20disabled%20it%20via%20policy%2C%20it%20should%20be%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20the%20native%20iOS%20client%20also%20supports%20Modern%20Authentication%2C%20but%20only%20starting%20from%20iOS11.%20You%20may%20have%20some%20issues%20with%20older%20iPhones.%20I'm%20afraid%20I%20don't%20have%20any%20information%20surrounding%20the%20Android%20and%20Mac%20clients%2C%20however%20I%20would%20suggest%20implementing%20Outlook%20for%20iOS%2C%20Android%2C%20and%20Mac%20across%20the%20board%20as%20this%20will%20give%20you%20the%20best%20experience%20as%20well%20as%20additional%20safety%20(such%20as%20ATP).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EDaniel%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-280343%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280343%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20that%20this%20is%20an%20old%20thread%2C%20and%20I%20am%20hoping%20someone%20here%20is%20monitoring%20and%20will%20reply.%26nbsp%3B%20We%20have%20an%20Office%20365%20tenant%20with%20about%20200%20users.%26nbsp%3B%20Each%20user%20has%20two%20or%20more%20devices%2C%20so%20we%20have%20about%20500%20devices%20in%20total.%26nbsp%3B%20The%20clients%20are%20mostly%20Outlook%202016%20and%20the%20iOS%20Native%20Mail%20Client%20using%20ActiveSync%20EAS.%26nbsp%3B%20We%20have%20a%20few%20other%20clients%20including%20Outlook%20for%20Mac%2C%20Outlook%20for%20iOS%2C%20Outlook%20for%20Android%20and%20the%20native%20Android%20mail%20client.%26nbsp%3B%20We%20have%20already%20implemented%20MFA%20for%20all%20users%20and%20devices.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20addition%20to%20Exchange%20we%20also%20use%20Skype%20for%20Business%2C%20Onedrive%20and%20SharePoint%20to%20a%20limited%20extent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20I%20just%20found%20out%20that%20Modern%20Authentication%20is%20disabled%20for%20our%20entire%20tenant.%26nbsp%3B%20We%20had%20assumed%20that%20it%20was%20enabled%20since%20most%20articles%20say%20that%20it%20is%20enabled%20by%20default%2C%20so%20we%20never%20verified.%26nbsp%3B%20In%20order%20to%20make%20all%20these%20clients%20work%20with%20MFA%20we%20set%20them%20all%20up%20with%20App%20Passwords.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERecent%20guidance%20from%20Microsoft%20said%20that%20we%20should%20disable%20legacy%20authentication%20and%20only%20use%20modern%20authentication%2C%20so%20we%20checked%20the%20status%20of%20the%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20now%20turn%20on%20Modern%20Authentication%20now%20for%20our%20tenant%2C%20is%20this%20going%20to%20force%20all%20the%20users%20to%20re-enter%20their%20passwords%20on%20every%20device%3F%26nbsp%3B%20Do%20you%20think%20that%20we%20will%20also%20need%20to%20push%20out%20these%20registry%20changes%20to%20the%20Outlook%202016%20clients%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20or%20advice%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-263196%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-263196%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Ryan%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BJust%20wanted%20to%20say%3A%20THANK%20YOU%20SOOO%20MUCH!%26nbsp%3B%20I've%20spent%20over%206%20hours%20trying%20to%20figure%20out%20why%20Outlook%20wouldn't%20accept%20my%20password%20after%20enabling%20MFA.%26nbsp%3B%20Then%2C%204%20hours%20on%20the%20phone%20with%20Microsoft%20with%20no%20resolution.%26nbsp%3B%20Your%20list%20of%20tips%20helped%20me%20get%20everything%20all%20squared%20away.%26nbsp%3B%20The%20ticket%20for%20me%20was%20the%26nbsp%3B%3CSPAN%3E%22EnableADAL%22%3Ddword%3A00000001%20registry%20entry.%26nbsp%3B%20Many%20many%20thanks!%26nbsp%3B%20My%20next%20step%20would%20have%20been%20to%20rebuild%20my%20workstation!%26nbsp%3B%20Even%20after%20turning%20off%20MFA%20for%20my%20account%2C%20I%20was%20completely%20locked%20out%20of%20Outlook%20and%20couldn't%20reactivate%20any%20O365%20Office%20applications.%26nbsp%3B%20You%20sir%2C%20are%20a%20HERO!%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ERegards%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EBertie%20Pittman%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169557%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169557%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20always%20recommend%20advising%20your%20users%20of%20the%20change.%20It's%20cover%20for%20the%20unpredictable%20that%20happens%20with%20new%20implementation.%20If%20no%20one%20notices%2C%20just%20tell%20them%20that%20you%20we're%20on%20top%20of%20it%20and%20it%20was%20only%20a%20precaution%26nbsp%3B%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-119755%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119755%22%20slang%3D%22en-US%22%3EMy%20testing%20is%20showing%20the%20same%2C%20thanks!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-119753%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119753%22%20slang%3D%22en-US%22%3E%3CP%3Esorry%20for%20the%20delay.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20experience%20has%20been%20only%20users%20that%20have%20MFA%20enabled%20are%20affected.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-118056%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-118056%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20helpful%20info%20Ryan%2C%20thank%20you.%26nbsp%3B%20Question%20for%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%23%20iOS%2011.01%20native%20mail%20app%20does%20support%20ADAL%20but%20S7%20Samsung%20does%20not%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20S7%20scenario%2C%20does%20this%20apply%20to%20all%20users%2C%20or%20only%20users%20with%20MFA%20enabled%3F%26nbsp%3B%20We%20have%20BYOD%20users%20with%20mobile%20devices%20that%20are%20all%20over%20the%20place%20version-wise%2C%20and%20I'm%20curious%20to%20know%20if%20we%20flip%20the%20switch%20on%20this%2C%20will%20these%20users%20lose%20access%20even%20if%20they%20aren't%20using%20MFA%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-115590%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-115590%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Eugine%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20working%20on%20Enabling%20MFA%20for%20my%20org%20which%20is%20about%201500%20users.%20I%20can%20pass%20on%20a%20few%20tips%20that%20might%20save%20you%20some%20grief.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23%20Enabling%20ADAL%20is%20something%20you%20do%20globally%20for%20Exchange%20Online%20and%20for%20Skype%20for%20Business.%20Enabling%20the%20feature%20will%20not%20break%20legacy%20connections%20(Basic).%3CBR%20%2F%3E%23%20Office%202016%20and%20the%20lastest%20SFB%20client%20support%20modern%20Auth%20natively.%20Office%202013%20can%20support%20it%20also%20you%20must%20ensure%20you%20have%20it%20up%20to%20date%20and%20you%20must%20manually%20add%20the%20registry%20keys%20below.%20Office%202010%20and%20Sharepoint%202013%20designer%20(if%20you%20use%20it)%20do%20NOT%20support%20ADAL%20and%20therefor%20can%20not%20be%20used%20without%20an%20App%20Password%3CBR%20%2F%3E%23%20iOS%2011.01%20native%20mail%20app%20does%20support%20ADAL%20but%20S7%20Samsung%20does%20not%26nbsp%3B%3CBR%20%2F%3E%23Both%20Exchange%20Online%20and%20Skype%20for%20Business%20Powershell%20now%20support%20Modern%20Auth%20however%20this%20will%20cause%20an%20issue%20for%20scripts%20you%20may%20have%20previuously%20created.%20(I%20used%20an%20cloud%20only%20automation%20account%20to%20get%20around%20this)%3CBR%20%2F%3E%23%20Enabling%20MFA%20(enforcing%202%20factor)%26nbsp%3Bcaused%20some%20issues%20in%20our%20pilot%20and%20it%20was%20very%20apparent%20that%20Windows%20must%20also%20be%20up%20to%20date.%26nbsp%3B%3CBR%20%2F%3E%23%20the%20GUI%20Bulk%20add%20for%20MFA%20does%20not%20support%20more%20than%2020%20users%20per%20upload.%20(so%20silly)%3CBR%20%2F%3E--------%3C%2FP%3E%3CP%3EWindows%20Registry%20Editor%20Version%205.00%3C%2FP%3E%3CP%3E%5BHKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5CExchange%5D%3CBR%20%2F%3E%22AlwaysUseMSOAuthForAutodiscover%22%3Ddword%3A00000001%3C%2FP%3E%3CP%3E%5BHKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5COffice%5C15.0%5CCommon%5CIdentity%5D%3CBR%20%2F%3E%22Version%22%3Ddword%3A00000001%3CBR%20%2F%3E%22EnableADAL%22%3Ddword%3A00000001%3C%2FP%3E%3CP%3E-------------------------------%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20this%20gives%20you%20some%20value.%20having%20known%20this%20ahead%20of%20time%20would%20have%20saved%20me%20hours%20of%20work.%3C%2FP%3E%3CP%3EBest%20of%20luck%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-90617%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-90617%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20a%20precautionary%20measure%20we%20notified%20all%20users%20that%20they%20may%20have%20to%20re-credential%20then%26nbsp%3Bwent%20ahead%20and%20enabled%20it%20modern%20authentication.%3C%2FP%3E%3CP%3ENot%20sure%20what%20the%20difference%20in%20environment%20was%2C%20but%20we%20didn't%20get%20a%20single%20call%20to%20help%20desk%2C%20which%20we%20normally%20would%20have.%20(We%20do%20quite%20a%20bit%20of%20hand%20holding%20here)%3C%2FP%3E%3CP%3EWe%20run%20a%20hybrid%20environment%20if%20that%20makes%20any%20difference.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-G%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86123%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86123%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20experience%20was%20that%20most%20users%20seemed%20to%20have%20to%20re-sign%20into%20outlook.%26nbsp%3B%20I%20am%26nbsp%3BAzure%20AD%20connected%20and%20my%20experience%20was%20a%20bit%20different.%26nbsp%3B%20Outlook%20came%20up%20with%20the%20username%20and%20password%20prompt%20but%20the%20username%20listed%20AzureAD%5Ccstack%40jesuits.org.%26nbsp%3B%20It%20would%20not%20accept%20the%20username%20until%20I%20deleted%20out%20the%20AzureAD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86099%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86099%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20experience%20was%20that%20most%20users%20seemed%20to%20have%20to%20re-sign%20into%20outlook.%26nbsp%3B%20I%20am%26nbsp%3BAzure%20AD%20connected%20and%20my%20experience%20was%20a%20bit%20different.%26nbsp%3B%20Outlook%20came%20up%20with%20the%20username%20and%20password%20prompt%20but%20the%20username%20listed%20AzureAD%5Ccstack%40jesuits.org.%26nbsp%3B%20It%20would%20not%20accept%20the%20username%20until%20I%20deleted%20out%20the%20AzureAD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86093%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86093%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Matt%2C%20what%20exactly%20are%20you%20referring%20to%20when%20you%20say%20%22%20%26nbsp%3BAzure%20AD%20ADAL%20support%20is%20enabled%22%3F%3C%2FP%3E%3CP%3EI%20was%20referring%20to%20the%20intial%20comments%20about%20enabling%20Oauth%20in%20ExO.%20After%20doing%20that%2C%20our%20users%20were%20not%20prompted%20to%20sign%20in%20to%20Outlook%20again....%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86062%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86062%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20true%20that%20only%20MFA%20enabled%20users%20will%20be%20prompted%20to%20set%20up%20their%20second%20factor%2C%20but%20that%20wasn't%20really%20the%20question.%20The%20question%20is%20what%20will%20happen%20when%20Azure%20AD%20ADAL%20support%20is%20enabled.%20In%20my%20experience%20all%20of%20our%20users%20with%20an%20Outlook%20profile%20configured%20were%20prompted%20to%20sign%20in%20again%20to%20Outlook%20using%20the%20new%20authentication%20flow.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86049%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86049%22%20slang%3D%22en-US%22%3E%3CP%3EHmm%2C%20did%20not%20see%20that%20at%20all.%20Only%20MFA%20enabled%20users%20were%20requreid%20to%20setup%20their%20config...Everyone%26nbsp%3Belse%20was%20fine.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86048%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86048%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20my%20experience%20even%20users%20without%20MFA%20enabled%20were%20prompted%20to%20sign%20in%20again%20to%20Outlook.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86045%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86045%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20they%20shouldnt%20be.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86041%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86041%22%20slang%3D%22en-US%22%3E%3CP%3EApologies%2C%20should%20have%20been%20a%20little%20more%20specific.%3C%2FP%3E%3CP%3EI%20am%20curious%20as%20to%20whether%20or%20not%20users%20who%20are%20not%20MFA%20enabled%20will%20be%20prompted%20after%20enabling%20Modern%20Authentication%3F%3C%2FP%3E%3CP%3EInitial%20role%20out%20of%20MFA%20is%20only%20to%20a%20couple%20of%20users%20but%20they%20will%20be%20the%20tests%20for%20everyone%20else.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-G%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85860%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85860%22%20slang%3D%22en-US%22%3E%3CP%3EEugene%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20did%20go%20forward%20with%20this.%26nbsp%3B%20It%20was%20very%20simple.%26nbsp%3B%20We%20chose%20to%20warn%20our%20users%20since%20they%20got%20prompted%20to%20sign%20in%20and%20we%20wanted%20everyone%20to%20reboot.%26nbsp%3B%20We%20announced%20to%20our%20users%20that%20this%20would%20be%20done%20early%20morning%20on%20a%20Tuesday.%26nbsp%3B%20It%20went%20very%20smoothly%20and%20everyone%20got%20their%20focused%20inbox%20and%20then%20on%20Thursday%20we%20trainied%2Fdemoed%20focus%20inbox%20(and%20some%20other%20features%20of%20views%20in%20Outlook)%20via%20webinar%20to%20all%20our%20regional%20offices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85829%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85829%22%20slang%3D%22en-US%22%3E%3CP%3EIts%20pretty%20seemless.%20Just%20be%20aware%20that%20some%20clients%20do%20not%20support%20it%20(such%20as%20the%20native%20activesync%20email%20client%20on%20Iphones).%20In%20those%20cases%2C%20you%20have%20to%20use%20app%20passwords%20if%20using%20Azure%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85737%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85737%22%20slang%3D%22en-US%22%3EDid%20you%20ever%20move%20forward%20with%20this%20and%20what%20was%20your%20experience%3F%3CBR%20%2F%3EI%20am%20getting%20ready%20to%20perform%20the%20same%20task.%3CBR%20%2F%3E%3CBR%20%2F%3E-G%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-69981%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69981%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20did%20not%20experience%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-69974%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69974%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20being%20over%20cautious%20but%20I%20also%20want%20to%20make%20sure%20that%20running%20this%20command%26nbsp%3B%3C%2FP%3E%3CP%3ESet-OrganizationConfig%20-OAuth2ClientProfileEnabled%20%24true%3C%2FP%3E%3CP%3Ewill%20NOT%20have%20any%20affect%20on%20my%20end%20users.%26nbsp%3B%20I%20do%20not%20want%20them%20to%20be%20prompted%20to%20sign%20in%20via%20Office%202016%20(Pro%20Plus)%20or%20mobile%20apps.%26nbsp%3B%20Can%20someone%20please%20re-confirm%20that%20I%20do%20NOT%20have%20to%20warn%20my%20users%20of%20a%20change.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChristine%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-67389%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67389%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20was%20my%20exact%20fear%2C%20but%20we%20enabled%20for%20modern%20auth%20for%20EOL%20and%20no%20users%20were%20prompted%2C%20yet.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61699%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61699%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Math%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20for%20that%20feedback%20and%20the%20best%20approach%20is%20to%20comunicate%20the%20users%20first%20what%20will%20come%20a%20new%20feature.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20will%20understand%20and%20we%20hope%20you%20change%20it%20in%20summer.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61675%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61675%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20tested%20enabling%20this%20today%20and%20was%20not%20successful.%20When%20I%20made%20the%20change%2C%20out%20Outlook%20users%20were%20all%20prompted%20to%20sign%20in%20to%20Outlook%20again%2C%20and%20some%20were%20even%20presented%20with%20our%20IDP%20sign%20in%20page%20instead%20of%20the%20normal%20Outlook%20sign-in%20box.%20I%20reverted%20the%20setting%20to%20make%20sure%20that%20further%20users%20wouldn't%20be%20affected%20by%20this.%20At%20this%20point%20I%20think%20I'll%20wait%20until%20summer%20to%20try%20this%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61505%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61505%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F50%22%20target%3D%22_blank%22%3E%40Nuno%20Silva%3C%2FA%3E%26nbsp%3BThanks!%20Sounds%20like%20I'm%20worrying%20over%20nothing!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61500%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61500%22%20slang%3D%22en-US%22%3EThanks%20Vasil!%20That's%20exactly%20what%20I%20was%20getting%20at!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61497%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61497%22%20slang%3D%22en-US%22%3E%3CP%3EPowerShell%20will%20work%20just%20fine%2C%20in%20fact%20%22pure%22%20PowerShell%20to%20date%20does%20not%20support%20Modern%20authentication%2C%20yet%20we%20are%20still%20able%20to%20connect%20via%20the%20legacy%20method.%20Now%2C%20if%20you%20have%20the%20actual%20account%20enabled%20for%20MFA%2C%20connecting%20with%26nbsp%3B%22pure%22%26nbsp%3BPowerShell%20will%20not%20work.%20You%20will%20have%20to%20use%20the%20new%2C%20ADAL-aware%20module%20instead.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61422%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61422%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Matt%2C%20I%20could%20not%20be%20a%20problem%20to%20that%20because%20the%20method%20used%20in%20Powershell%20is%20different%2C%20I%20have%20connections%20using%20powershell%20without%20any%20problems.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3A%20The%20faq%20is%20older%20than%20the%20previous%20link.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61418%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61418%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F50%22%20target%3D%22_blank%22%3E%40Nuno%20Silva%3C%2FA%3E%26nbsp%3BThanks%2C%20but%20at%20the%20moment%20I'm%20really%20just%20referring%20to%20a%20standard%20unattended%20connection%20via%20PowerShell.%20Will%20the%20normal%20sign-in%20still%20work%20once%20modern%20auth%20is%20enabled%20assuming%20MFA%20is%20not%20enabled%20for%20the%20admin%20user%20that%20will%20be%20used%20in%20the%20script%3F%20The%20FAQ%20linked%20above%20seems%20to%20indicate%20that%20the%20traditional%20methods%20of%20connecting%20to%20Exchange%20Online%20will%20not%20work%20with%20Modern%20Auth%20in%20general%2C%20not%20just%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61401%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61401%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Matt%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20see%20here%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt775114(v%3Dexchg.160).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt775114(v%3Dexchg.160).aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61382%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61382%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bsorry%2C%20just%20one%20more%20question%20before%20I%20test%20this%20out.%20According%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fblogs.office.com%2F2015%2F11%2F19%2Fupdated-office-365-modern-authentication-public-preview%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emodern%20auth%20FAQ%3C%2FA%3E%2C%20connecting%20to%20Exchange%20Online%20via%20PowerShell%20is%20not%20currently%20supported.%20We%20have%20some%20automation%20tasks%20that%20work%20against%20Exchange%20Online%20and%20the%20Compliance%20Center%20and%20require%20unattended%20sign-in.%20Would%20you%20expect%20these%20to%20break%20once%20modern%20auth%20is%20enabled%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61084%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61084%22%20slang%3D%22en-US%22%3EThanks!%20I'll%20test%20this%20out%20soon.%20My%20fear%20was%20that%20changing%20this%20setting%20might%20have%20some%20effect%20on%20users%20with%20current%20outlook%20profiles%2C%20or%20sign%20ins%20on%20mobile%20apps.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60942%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60942%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20are%20simply%20enabling%20another%20auth%20provider%2C%20it%20is%20not%20directly%20tied%20to%20MFA.%20As%20long%20as%20the%20client%20supports%20ADAL%2FModern%20auth%2C%20it%20will%20follow%20the%20new%20auth%20process%20(with%20or%20without%20MFA)%2C%20and%20if%20it%20does%20not%20support%20it%2C%20it%20will%20use%20the%20legacy%20method.%20Apart%20from%20some%20of%20the%20PowerShell%20modules%20and%20sme%203rd%20party%20apps%2C%20all%20apps%20should%20have%20proper%20support%20for%20Modern%20auth%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60859%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60859%22%20slang%3D%22en-US%22%3E%3CP%3EI%20only%20have%20MFA%20enabled%20on%20vendor%20accounts.%20Enabling%20MFA%20by%20itself%20did%20not%20change%20the%20user%20experience%20for%20non-MFA%20enabled%20user%20accounts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60858%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60858%22%20slang%3D%22en-US%22%3EIs%20that%20because%20you%20have%20MFA%20enabled%3F%20We%20don't%20have%20this%20enabled%20yet%2C%20except%20for%20a%20few%20test%20users.%20Don%20you%20believe%20that%20if%20I%20make%20these%20changes%20that%20no%20one%20will%20notice%20a%20difference%20in%20sign%20in%20process%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60843%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60843%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Matt%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20not%20risky%20at%20all.%20At%20my%20experience%20it's%20simple%20as%20you%20mention.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60815%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60815%22%20slang%3D%22en-US%22%3E%3CP%3EI%20didn't%20experience%20any%20issues%20when%20enabling%20OAuth%20in%20my%20tenancy%20-%20apart%20from%20not%20being%20able%20to%20log%20in%20to%20my%20account%20when%20on%20a%20different%20users%20PC%2C%20which%20is%20to%20be%20expected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20rollback%20is%20easy%20enough%2C%20though%20be%20sure%20to%20communicate%20the%20change%20to%20your%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-699313%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-699313%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F157%22%20target%3D%22_blank%22%3E%40Brian%20Reid%3C%2FA%3E%26nbsp%3BBut%20it%20still%20hasn't%20-%20and%20there%20isn't%20communication%20on%20whether%20it%20is%20'done'%20or%20will%20'be%20done'.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-699514%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-699514%22%20slang%3D%22en-US%22%3EYou%20can%20check%20the%20setting%20in%20Skype%20for%20Business%20Online%20PowerShell%20to%20see%20if%20it%20has%20changed%20in%20your%20tenant.%20There%20is%20not%20often%20communication%20that%20a%20rollout%20has%20finished.%20And%20then%20if%20you%20are%20not%20using%20ADFS%2C%20just%20enable%20ADAL%20for%20Skype%20and%20then%20again%20for%20Exchange.%20If%20you%20have%20ADFS%20then%20you%20need%20to%20change%20any%20claims%20rules%20you%20have%20for%20Skype%20and%20Exchange.%20If%20you%20don't%20have%20claims%20rules%20then%20enable%20ADAL%20and%20consider%20moving%20to%20AzureAD%20SSO%20instead%20of%20ADFS%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-699521%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-699521%22%20slang%3D%22en-US%22%3EI%20have%20checked%20%3A)%3C%2Fimg%3E%20and%20its%20not%20enabled%2C%20not%20for%20Exchange%20Online%20or%20Skype%204%20Business%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I'm considering enabling ADAL/Oauth for our Office 365 tenant to begin working with MFA, and am using the information in this wiki:

https://social.technet.microsoft.com/wiki/contents/articles/36101.office-365-enable-modern-authentic...

 

It seems relatively trivial to enable this, but I have some reservations about making the change. Does anyone know of risks involved, or any differences that users who don't have MFA enabled might see? Will the current sign in workflow still look the same for everyone? We use the web applications, Office 2016, and iOS and Android applications for access.

 

Thanks!

53 Replies
Highlighted

I didn't experience any issues when enabling OAuth in my tenancy - apart from not being able to log in to my account when on a different users PC, which is to be expected.

 

The rollback is easy enough, though be sure to communicate the change to your users.

Highlighted

Hi Matt,

 

It's not risky at all. At my experience it's simple as you mention.

Highlighted
Is that because you have MFA enabled? We don't have this enabled yet, except for a few test users. Don you believe that if I make these changes that no one will notice a difference in sign in process?
Highlighted

I only have MFA enabled on vendor accounts. Enabling MFA by itself did not change the user experience for non-MFA enabled user accounts.

Highlighted
Best Response confirmed by Matt McNabb (Contributor)
Solution

You are simply enabling another auth provider, it is not directly tied to MFA. As long as the client supports ADAL/Modern auth, it will follow the new auth process (with or without MFA), and if it does not support it, it will use the legacy method. Apart from some of the PowerShell modules and sme 3rd party apps, all apps should have proper support for Modern auth now.

Highlighted
Thanks! I'll test this out soon. My fear was that changing this setting might have some effect on users with current outlook profiles, or sign ins on mobile apps.
Highlighted

@Vasil Michev sorry, just one more question before I test this out. According to the modern auth FAQ, connecting to Exchange Online via PowerShell is not currently supported. We have some automation tasks that work against Exchange Online and the Compliance Center and require unattended sign-in. Would you expect these to break once modern auth is enabled?

Highlighted
Highlighted

@Nuno Silva Thanks, but at the moment I'm really just referring to a standard unattended connection via PowerShell. Will the normal sign-in still work once modern auth is enabled assuming MFA is not enabled for the admin user that will be used in the script? The FAQ linked above seems to indicate that the traditional methods of connecting to Exchange Online will not work with Modern Auth in general, not just MFA.

Highlighted

Hi Matt, I could not be a problem to that because the method used in Powershell is different, I have connections using powershell without any problems.

 

Note: The faq is older than the previous link.

Highlighted

PowerShell will work just fine, in fact "pure" PowerShell to date does not support Modern authentication, yet we are still able to connect via the legacy method. Now, if you have the actual account enabled for MFA, connecting with "pure" PowerShell will not work. You will have to use the new, ADAL-aware module instead.

Highlighted
Thanks Vasil! That's exactly what I was getting at!
Highlighted

@Nuno Silva Thanks! Sounds like I'm worrying over nothing!

Highlighted

So I tested enabling this today and was not successful. When I made the change, out Outlook users were all prompted to sign in to Outlook again, and some were even presented with our IDP sign in page instead of the normal Outlook sign-in box. I reverted the setting to make sure that further users wouldn't be affected by this. At this point I think I'll wait until summer to try this again.

Highlighted

Hi Math,

 

Many thanks for that feedback and the best approach is to comunicate the users first what will come a new feature.

 

We will understand and we hope you change it in summer.

Highlighted

This was my exact fear, but we enabled for modern auth for EOL and no users were prompted, yet.

Highlighted

I am being over cautious but I also want to make sure that running this command 

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

will NOT have any affect on my end users.  I do not want them to be prompted to sign in via Office 2016 (Pro Plus) or mobile apps.  Can someone please re-confirm that I do NOT have to warn my users of a change.

 

Thanks

 

Christine

 

Highlighted

We did not experience that.

Highlighted
Did you ever move forward with this and what was your experience?
I am getting ready to perform the same task.

-G