SOLVED

Risks when enabling ADAL for Exchange Online and Skype

Contributor

I'm considering enabling ADAL/Oauth for our Office 365 tenant to begin working with MFA, and am using the information in this wiki:

https://social.technet.microsoft.com/wiki/contents/articles/36101.office-365-enable-modern-authentic...

 

It seems relatively trivial to enable this, but I have some reservations about making the change. Does anyone know of risks involved, or any differences that users who don't have MFA enabled might see? Will the current sign in workflow still look the same for everyone? We use the web applications, Office 2016, and iOS and Android applications for access.

 

Thanks!

53 Replies

I didn't experience any issues when enabling OAuth in my tenancy - apart from not being able to log in to my account when on a different users PC, which is to be expected.

 

The rollback is easy enough, though be sure to communicate the change to your users.

Hi Matt,

 

It's not risky at all. At my experience it's simple as you mention.

Is that because you have MFA enabled? We don't have this enabled yet, except for a few test users. Don you believe that if I make these changes that no one will notice a difference in sign in process?

I only have MFA enabled on vendor accounts. Enabling MFA by itself did not change the user experience for non-MFA enabled user accounts.

best response confirmed by Matt McNabb (Contributor)
Solution

You are simply enabling another auth provider, it is not directly tied to MFA. As long as the client supports ADAL/Modern auth, it will follow the new auth process (with or without MFA), and if it does not support it, it will use the legacy method. Apart from some of the PowerShell modules and sme 3rd party apps, all apps should have proper support for Modern auth now.

Thanks! I'll test this out soon. My fear was that changing this setting might have some effect on users with current outlook profiles, or sign ins on mobile apps.

@Vasil Michev sorry, just one more question before I test this out. According to the modern auth FAQ, connecting to Exchange Online via PowerShell is not currently supported. We have some automation tasks that work against Exchange Online and the Compliance Center and require unattended sign-in. Would you expect these to break once modern auth is enabled?

@Nuno Silva Thanks, but at the moment I'm really just referring to a standard unattended connection via PowerShell. Will the normal sign-in still work once modern auth is enabled assuming MFA is not enabled for the admin user that will be used in the script? The FAQ linked above seems to indicate that the traditional methods of connecting to Exchange Online will not work with Modern Auth in general, not just MFA.

Hi Matt, I could not be a problem to that because the method used in Powershell is different, I have connections using powershell without any problems.

 

Note: The faq is older than the previous link.

PowerShell will work just fine, in fact "pure" PowerShell to date does not support Modern authentication, yet we are still able to connect via the legacy method. Now, if you have the actual account enabled for MFA, connecting with "pure" PowerShell will not work. You will have to use the new, ADAL-aware module instead.

Thanks Vasil! That's exactly what I was getting at!

@Nuno Silva Thanks! Sounds like I'm worrying over nothing!

So I tested enabling this today and was not successful. When I made the change, out Outlook users were all prompted to sign in to Outlook again, and some were even presented with our IDP sign in page instead of the normal Outlook sign-in box. I reverted the setting to make sure that further users wouldn't be affected by this. At this point I think I'll wait until summer to try this again.

Hi Math,

 

Many thanks for that feedback and the best approach is to comunicate the users first what will come a new feature.

 

We will understand and we hope you change it in summer.

This was my exact fear, but we enabled for modern auth for EOL and no users were prompted, yet.

I am being over cautious but I also want to make sure that running this command 

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

will NOT have any affect on my end users.  I do not want them to be prompted to sign in via Office 2016 (Pro Plus) or mobile apps.  Can someone please re-confirm that I do NOT have to warn my users of a change.

 

Thanks

 

Christine

 

We did not experience that.

Did you ever move forward with this and what was your experience?
I am getting ready to perform the same task.

-G