SOLVED
Home

Risks when enabling ADAL for Exchange Online and Skype

%3CLINGO-SUB%20id%3D%22lingo-sub-60756%22%20slang%3D%22en-US%22%3ERisks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60756%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20considering%20enabling%20ADAL%2FOauth%20for%20our%20Office%20365%20tenant%20to%20begin%20working%20with%20MFA%2C%20and%20am%20using%20the%20information%20in%20this%20wiki%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F36101.office-365-enable-modern-authentication.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F36101.office-365-enable-modern-authentication.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20relatively%20trivial%20to%20enable%20this%2C%20but%20I%20have%20some%20reservations%20about%20making%20the%20change.%20Does%20anyone%20know%20of%20risks%20involved%2C%20or%20any%20differences%20that%20users%20who%20don't%20have%20MFA%20enabled%20might%20see%3F%20Will%20the%20current%20sign%20in%20workflow%20still%20look%20the%20same%20for%20everyone%3F%20We%20use%20the%20web%20applications%2C%20Office%202016%2C%20and%20iOS%20and%20Android%20applications%20for%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-60756%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394090%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394090%22%20slang%3D%22en-US%22%3EAnd%20Modern%20Auth%20is%20now%20being%20rolled%20out%20to%20all%20tenants%20apart%20from%20those%20using%20ADFS.%20See%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2019%2F04%2F01%2Fexchange-online-modern-authentication-and-conditional-access-updates%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2019%2F04%2F01%2Fexchange-online-modern-authentication-and-conditional-access-updates%2F%3C%2FA%3E%20for%20this%20and%20the%20changes%20to%20expect.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290783%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290783%22%20slang%3D%22en-US%22%3ELOL%20-%20like%20the%20bleep%20above.%20I'd%20mistakenly%20added%20a%20t%20before%20%22it%22.%20Let's%20hope%20Microsoft%20never%20introduce%20a%20product%20called%20after%20a%20little%20bird%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290782%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290782%22%20slang%3D%22en-US%22%3EYes%20backwards%20compatibility%20is%20both%20positive%20and%20negative%20at%20the%20same%20time.%20Whilst%20it%20might%20sound%20like%20one%20is%20taking%20a%20pop%2C%20but%20I%20do%20understand%20how%20fiendishly%20hard%20it%20is%20to%20move%20forward%20when%20you%20have%20a%20huge%20incredibly%20complicated%20infrastructure%20where%20lots%20of%20things%20have%20to%20change%20at%20the%20same%20time%20for%20it%20to%20be%20totally%20successful.%20Authentication%20is%20obviously%20one%20of%20these%20areas.%20Just%20look%20at%20how%20long%20it's%20taking%20to%20improve%20email%20security%2Fcombat%20spam.%20It's%20obviously%20a%20lot%20harder%20when%20there%20are%203rd%20party%20components%20in%20the%20chain.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20the%20specific%20case%20I%20mention%20about%20Outlook%20v1803%20does%20annoy%20somewhat%20-%20when%20Microsoft%20is%20in%20control%20of%20*all*%20the%20components%20(Windows%2C%20Edge%2C%20Office%2C%20Skype%2C%20SharePoint%2C%20Exchange%2C%20Azure%20AD%20etc)%2C%20it%20does%20surprise%20me%20how%20often%20one%20comes%20across%20showstopper%20problems%20-%20and%20how%20long%20it%20takes%20to%20fix%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EEdge%20issues%20are%20another%20area%20where%20I'm%20loosing%20the%20plot.%20I've%20*tried*%20to%20encourage%20my%20customers%20to%20use%20Edge%20(because%20**bleep**%20should%20work%20better%20because%20it's%20all%20Microsoft)%20but%20increasingly%20I%20have%20to%20accept%20it's%20used%20to%20install%20Chrome%20%3A(%3C%2Fimg%3E%20I%20even%20had%20a%20support%20case%20with%20Microsoft%20this%20week%20where%20they%20suggested%20I%20used%20Chrome%20for%20debugging.%20Rolls%20eyes!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290738%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290738%22%20slang%3D%22en-US%22%3EAn%20interesting%20observation.%20The%20other%20take%20on%20this%20is%20that%20Microsoft%20cannot%20just%20change%20everything%20on%20a%20whim%20to%20suit%20the%20latest%20changes%20in%20their%20products%20because%20their%20customers%20expect%20backward%20compatibility%20at%20nearly%20any%20cost.%20So%20much%20so%20that%20when%20impacting%20changes%20come%20out%20the%20implementation%20that%20you%20need%20to%20put%20in%20is%20completely%20dependent%20upon%20the%20client%20and%20the%20mix%20of%20client%20or%20server%20technologies%20in%20use%20and%20that%20is%20the%20role%20the%20deployment%20consultant%20brings%20to%20the%20table.%20Even%20if%20you%20do%20the%20work%20yourself%2C%20experience%20is%20necessary.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290731%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290731%22%20slang%3D%22en-US%22%3E%26gt%3BIf%20we%20had%20checked%20for%20this%20in%20advance%2C%20we%20would%20not%20be%20in%20this%20mess.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20feel%20your%20pain!%20My%20client%20only%20has%2050%20users%20but%20I'd%20shudder%20to%20think%20what%20a%20mess%20you%20could%20get%20into%20with%20hundreds%20of%20thousands%20of%20users.%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20take%20on%20Office%20365%20right%20now%20is%20that%20it's%20still%20a%20mixed%20up%20bunch%20of%20only%20just%20compatible%20technologies.%20Getting%20all%20the%20various%20factions%20to%20work%20together%20so%20that%20all%20features%20work%20with%20all%20components%20at%20the%20same%20time%20just%20seems%20too%20difficult.%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20the%20MFA%20disaster%20on%20Monday%20this%20week%20makes%20me%20glad%20I%20didn't%20push%20my%20main%20client%20to%20enable%20MFA...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290730%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290730%22%20slang%3D%22en-US%22%3EJoining%20this%20topic%20very%20late%20but%20after%20hitting%20an%20immediate%20problem%20with%20modern%20authentication%20in%20Office%202016%20semi-annual%20(v1803)%2C%20I%20wouldn't%20agree%20that%20turning%20on%20modern%20authentication%20is%20safe!%20I've%20just%20done%20a%20trial%20this%20evening%20after%20getting%20permission%20from%20the%20account%20and%20the%20test%20users%20immediately%20his%20the%20fault%20discussed%20here%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory%2FAzure-AD-W10-and-Outlook%2Ftd-p%2F96119%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory%2FAzure-AD-W10-and-Outlook%2Ftd-p%2F96119%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20fault%2Fissue%20is%20fixed%20in%20the%20current%20targeted%20semi-annual%20release%20(v1808)%20but%20occurs%20in%20the%20current%20semi-annual%20release%20(v1803%20-%20which%20most%20Office%20365%20users%20are%20on).%20This%20version%20was%20released%20in%20July%20this%20year%20so%20the%20issue%20has%20only%20been%20recently%20fixed.%20It'll%20be%20fixed%20in%20the%20next%20semi-annual%20release%20in%20January%20so%20not%20that%20long%20to%20wait.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285134%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285134%22%20slang%3D%22en-US%22%3E%3CP%3EBrian%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20help%20and%20advice.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAgain%2C%20I%20wish%20that%20the%20Microsoft%20articles%20were%20clear%20on%20this%20issue.%26nbsp%3B%20If%20I%20knew%20this%20six%20months%20ago%2C%20we%20would%20not%20be%20in%20this%20current%20bad%20situation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285095%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285095%22%20slang%3D%22en-US%22%3EAny%20articles%20that%20discuss%20app%20passwords%20are%20old%20and%20out%20of%20date%20by%20at%20least%20a%20few%20years.%20App%20passwords%20matter%20only%20when%20on%20Outlook%202010%20(generally%20speaking)%20and%20older%20PowerShell%20modules.%3CBR%20%2F%3E%3CBR%20%2F%3EInstead%20turn%20on%20SSO%20and%20Modern%20Authentication%20and%20then%20the%20user%20will%20automatically%20sign%20in%20(if%20domain%20joined%20on%20the%20Lan).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285017%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285017%22%20slang%3D%22en-US%22%3E%3CP%3EBrian%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20confirming.%26nbsp%3B%20I%20really%20wish%20that%20Microsoft%20did%20a%20better%20job%20of%20communicating%20this%20significant%20piece%20of%20information%20about%20MFA%20App%20Passwords%20not%20working%20with%20Modern%20Authentication.%26nbsp%3B%20I%20still%20have%20not%20found%20any%20Microsoft%20article%20or%20document%20that%20explains%20this.%26nbsp%3B%26nbsp%3BAll%20articles%20that%20I%20read%20tell%20you%20to%20use%20App%20Passwords%20with%20non-browser%20based%20clients%20like%26nbsp%3BOutlook%20and%20ActiveSync%20clients.%26nbsp%3B%20If%20we%20had%20checked%20for%20this%20in%20advance%2C%20we%20would%20not%20be%20in%20this%20mess.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20not%20think%20that%20I%20can%20turn%26nbsp%3BModern%20Authentication%26nbsp%3Bon%20at%20this%20point%20and%20disrupt%20all%20of%20our%20users.%26nbsp%3B%20If%20App%20Passwords%20would%20continue%20to%20work%20after%20enabling%20Modern%20Authentication%2C%20we%20could%20gradually%20transition%20our%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285014%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285014%22%20slang%3D%22en-US%22%3EModern%20Auth%20is%20only%20enabled%20by%20default%20on%20new%20tenants%20since%20Aug%202017.%20Tenants%20created%20before%20then%20need%20to%20enable%20it%2C%20and%20the%20sooner%20the%20better%2C%20as%20then%20you%20can%20do%20seemless%20MFA%20(i.e.%20no%20app%20passwords).%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20have%20already%20rolled%20out%20app%20passwords%20for%20users%20and%20on%20Office%202016%20or%20later%20then%20turning%20on%20Modern%20Auth%20will%20impact%20the%20users%2C%20as%20they%20will%20stop%20needing%20to%20use%20their%20app%20passwords%20and%20use%20their%20proper%20password.%20That's%20an%20impact%20to%20the%20user.%20%3CBR%20%2F%3E%3CBR%20%2F%3EThat%20said%2C%20without%20app%20passwords%20already%20in%20use%20(so%20no%20MFA%20already)%2C%20if%20you%20enable%20Modern%20Auth%20and%20have%20SSO%20enabled%20(and%20the%20correct%20registry%20settings%20and%20URL%20in%20place)%20then%20the%20user%20will%20not%20see%20the%20new%20login%20box%20(this%20will%20also%20help%20if%20app%20passwords%20are%20used%2C%20as%20the%20SSO%20will%20kick%20in).%20Without%20SSO%20enabled%20then%20the%20user%20will%20see%20something%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-284891%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-284891%22%20slang%3D%22en-US%22%3E%3CP%3EDaniel%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%2C%20I%20did%20not%20specifically%20address%20your%20comment%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EModern%20Authentication%20should%20be%20enabled%20by%20default%20so%20unless%20you've%20disabled%20it%20via%20policy%2C%20it%20should%20be%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20whatever%20reason%2C%20Modern%20Authentication%20was%20disabled%20in%20our%20tenant.%26nbsp%3B%20I%20do%20not%20know%20why.%26nbsp%3B%20This%20is%20the%20reason%20I%20posted%20this%20question%20and%20why%20I%20am%20concerned.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20tenant%20wide%20change%20and%20it%20seems%20the%20behavior%20of%20all%20the%20clients%20will%20change.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20opened%20a%20case%20with%20Microsoft%20Support%2C%20and%20they%20told%20me%20that%20MFA%20App%20Passwords%20will%20no%20longer%20function%20after%20I%20enable%20Modern%20Authentication%20on%20the%20tenant.%26nbsp%3B%20They%20said%20that%20all%20the%20users%20will%20be%20immediately%20prompted%20to%20re-enter%20then%20passwords%20and%20then%20use%20their%20OTP%20to%20authentication.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20am%20very%20concerned%20about%20this%20and%20I%20do%20not%20think%20that%20I%20can%20enable%20Modern%20Authentication%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20your%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-280346%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280346%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20quick%20response.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20we%20want%20to%20implement%20and%20we%20know%20that%20we%20need%20to%20implement.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20my%20main%20concern%20is%20the%20potential%20disruption%20of%20having%20to%20re-enter%20passwords%20and%20push%20registry%20changes%20to%20500%20devices%2C%20which%20is%20substantial.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20this%20is%20a%20global%20change%20for%20the%20entire%20tenant%2C%20I%20do%20not%20know%20of%20a%20way%20to%20test%20on%20a%20limited%20basis%20for%20different%20types%20of%20clients%20to%20understand%20the%20impact.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-280345%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280345%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jon%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20expect%20Outlook%202016%20to%20be%20OK%20-%20Modern%20Authentication%20should%20be%20enabled%20by%20default%20so%20unless%20you've%20disabled%20it%20via%20policy%2C%20it%20should%20be%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20the%20native%20iOS%20client%20also%20supports%20Modern%20Authentication%2C%20but%20only%20starting%20from%20iOS11.%20You%20may%20have%20some%20issues%20with%20older%20iPhones.%20I'm%20afraid%20I%20don't%20have%20any%20information%20surrounding%20the%20Android%20and%20Mac%20clients%2C%20however%20I%20would%20suggest%20implementing%20Outlook%20for%20iOS%2C%20Android%2C%20and%20Mac%20across%20the%20board%20as%20this%20will%20give%20you%20the%20best%20experience%20as%20well%20as%20additional%20safety%20(such%20as%20ATP).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EDaniel%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-280343%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280343%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20that%20this%20is%20an%20old%20thread%2C%20and%20I%20am%20hoping%20someone%20here%20is%20monitoring%20and%20will%20reply.%26nbsp%3B%20We%20have%20an%20Office%20365%20tenant%20with%20about%20200%20users.%26nbsp%3B%20Each%20user%20has%20two%20or%20more%20devices%2C%20so%20we%20have%20about%20500%20devices%20in%20total.%26nbsp%3B%20The%20clients%20are%20mostly%20Outlook%202016%20and%20the%20iOS%20Native%20Mail%20Client%20using%20ActiveSync%20EAS.%26nbsp%3B%20We%20have%20a%20few%20other%20clients%20including%20Outlook%20for%20Mac%2C%20Outlook%20for%20iOS%2C%20Outlook%20for%20Android%20and%20the%20native%20Android%20mail%20client.%26nbsp%3B%20We%20have%20already%20implemented%20MFA%20for%20all%20users%20and%20devices.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20addition%20to%20Exchange%20we%20also%20use%20Skype%20for%20Business%2C%20Onedrive%20and%20SharePoint%20to%20a%20limited%20extent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20I%20just%20found%20out%20that%20Modern%20Authentication%20is%20disabled%20for%20our%20entire%20tenant.%26nbsp%3B%20We%20had%20assumed%20that%20it%20was%20enabled%20since%20most%20articles%20say%20that%20it%20is%20enabled%20by%20default%2C%20so%20we%20never%20verified.%26nbsp%3B%20In%20order%20to%20make%20all%20these%20clients%20work%20with%20MFA%20we%20set%20them%20all%20up%20with%20App%20Passwords.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERecent%20guidance%20from%20Microsoft%20said%20that%20we%20should%20disable%20legacy%20authentication%20and%20only%20use%20modern%20authentication%2C%20so%20we%20checked%20the%20status%20of%20the%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20now%20turn%20on%20Modern%20Authentication%20now%20for%20our%20tenant%2C%20is%20this%20going%20to%20force%20all%20the%20users%20to%20re-enter%20their%20passwords%20on%20every%20device%3F%26nbsp%3B%20Do%20you%20think%20that%20we%20will%20also%20need%20to%20push%20out%20these%20registry%20changes%20to%20the%20Outlook%202016%20clients%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20or%20advice%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-263196%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-263196%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Ryan%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BJust%20wanted%20to%20say%3A%20THANK%20YOU%20SOOO%20MUCH!%26nbsp%3B%20I've%20spent%20over%206%20hours%20trying%20to%20figure%20out%20why%20Outlook%20wouldn't%20accept%20my%20password%20after%20enabling%20MFA.%26nbsp%3B%20Then%2C%204%20hours%20on%20the%20phone%20with%20Microsoft%20with%20no%20resolution.%26nbsp%3B%20Your%20list%20of%20tips%20helped%20me%20get%20everything%20all%20squared%20away.%26nbsp%3B%20The%20ticket%20for%20me%20was%20the%26nbsp%3B%3CSPAN%3E%22EnableADAL%22%3Ddword%3A00000001%20registry%20entry.%26nbsp%3B%20Many%20many%20thanks!%26nbsp%3B%20My%20next%20step%20would%20have%20been%20to%20rebuild%20my%20workstation!%26nbsp%3B%20Even%20after%20turning%20off%20MFA%20for%20my%20account%2C%20I%20was%20completely%20locked%20out%20of%20Outlook%20and%20couldn't%20reactivate%20any%20O365%20Office%20applications.%26nbsp%3B%20You%20sir%2C%20are%20a%20HERO!%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ERegards%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EBertie%20Pittman%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169557%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169557%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20always%20recommend%20advising%20your%20users%20of%20the%20change.%20It's%20cover%20for%20the%20unpredictable%20that%20happens%20with%20new%20implementation.%20If%20no%20one%20notices%2C%20just%20tell%20them%20that%20you%20we're%20on%20top%20of%20it%20and%20it%20was%20only%20a%20precaution%26nbsp%3B%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-119755%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119755%22%20slang%3D%22en-US%22%3EMy%20testing%20is%20showing%20the%20same%2C%20thanks!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-119753%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119753%22%20slang%3D%22en-US%22%3E%3CP%3Esorry%20for%20the%20delay.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20experience%20has%20been%20only%20users%20that%20have%20MFA%20enabled%20are%20affected.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-118056%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-118056%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20helpful%20info%20Ryan%2C%20thank%20you.%26nbsp%3B%20Question%20for%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%23%20iOS%2011.01%20native%20mail%20app%20does%20support%20ADAL%20but%20S7%20Samsung%20does%20not%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20S7%20scenario%2C%20does%20this%20apply%20to%20all%20users%2C%20or%20only%20users%20with%20MFA%20enabled%3F%26nbsp%3B%20We%20have%20BYOD%20users%20with%20mobile%20devices%20that%20are%20all%20over%20the%20place%20version-wise%2C%20and%20I'm%20curious%20to%20know%20if%20we%20flip%20the%20switch%20on%20this%2C%20will%20these%20users%20lose%20access%20even%20if%20they%20aren't%20using%20MFA%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-115590%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-115590%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Eugine%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20working%20on%20Enabling%20MFA%20for%20my%20org%20which%20is%20about%201500%20users.%20I%20can%20pass%20on%20a%20few%20tips%20that%20might%20save%20you%20some%20grief.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23%20Enabling%20ADAL%20is%20something%20you%20do%20globally%20for%20Exchange%20Online%20and%20for%20Skype%20for%20Business.%20Enabling%20the%20feature%20will%20not%20break%20legacy%20connections%20(Basic).%3CBR%20%2F%3E%23%20Office%202016%20and%20the%20lastest%20SFB%20client%20support%20modern%20Auth%20natively.%20Office%202013%20can%20support%20it%20also%20you%20must%20ensure%20you%20have%20it%20up%20to%20date%20and%20you%20must%20manually%20add%20the%20registry%20keys%20below.%20Office%202010%20and%20Sharepoint%202013%20designer%20(if%20you%20use%20it)%20do%20NOT%20support%20ADAL%20and%20therefor%20can%20not%20be%20used%20without%20an%20App%20Password%3CBR%20%2F%3E%23%20iOS%2011.01%20native%20mail%20app%20does%20support%20ADAL%20but%20S7%20Samsung%20does%20not%26nbsp%3B%3CBR%20%2F%3E%23Both%20Exchange%20Online%20and%20Skype%20for%20Business%20Powershell%20now%20support%20Modern%20Auth%20however%20this%20will%20cause%20an%20issue%20for%20scripts%20you%20may%20have%20previuously%20created.%20(I%20used%20an%20cloud%20only%20automation%20account%20to%20get%20around%20this)%3CBR%20%2F%3E%23%20Enabling%20MFA%20(enforcing%202%20factor)%26nbsp%3Bcaused%20some%20issues%20in%20our%20pilot%20and%20it%20was%20very%20apparent%20that%20Windows%20must%20also%20be%20up%20to%20date.%26nbsp%3B%3CBR%20%2F%3E%23%20the%20GUI%20Bulk%20add%20for%20MFA%20does%20not%20support%20more%20than%2020%20users%20per%20upload.%20(so%20silly)%3CBR%20%2F%3E--------%3C%2FP%3E%3CP%3EWindows%20Registry%20Editor%20Version%205.00%3C%2FP%3E%3CP%3E%5BHKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5CExchange%5D%3CBR%20%2F%3E%22AlwaysUseMSOAuthForAutodiscover%22%3Ddword%3A00000001%3C%2FP%3E%3CP%3E%5BHKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5COffice%5C15.0%5CCommon%5CIdentity%5D%3CBR%20%2F%3E%22Version%22%3Ddword%3A00000001%3CBR%20%2F%3E%22EnableADAL%22%3Ddword%3A00000001%3C%2FP%3E%3CP%3E-------------------------------%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20this%20gives%20you%20some%20value.%20having%20known%20this%20ahead%20of%20time%20would%20have%20saved%20me%20hours%20of%20work.%3C%2FP%3E%3CP%3EBest%20of%20luck%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-90617%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-90617%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20a%20precautionary%20measure%20we%20notified%20all%20users%20that%20they%20may%20have%20to%20re-credential%20then%26nbsp%3Bwent%20ahead%20and%20enabled%20it%20modern%20authentication.%3C%2FP%3E%3CP%3ENot%20sure%20what%20the%20difference%20in%20environment%20was%2C%20but%20we%20didn't%20get%20a%20single%20call%20to%20help%20desk%2C%20which%20we%20normally%20would%20have.%20(We%20do%20quite%20a%20bit%20of%20hand%20holding%20here)%3C%2FP%3E%3CP%3EWe%20run%20a%20hybrid%20environment%20if%20that%20makes%20any%20difference.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-G%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86123%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86123%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20experience%20was%20that%20most%20users%20seemed%20to%20have%20to%20re-sign%20into%20outlook.%26nbsp%3B%20I%20am%26nbsp%3BAzure%20AD%20connected%20and%20my%20experience%20was%20a%20bit%20different.%26nbsp%3B%20Outlook%20came%20up%20with%20the%20username%20and%20password%20prompt%20but%20the%20username%20listed%20AzureAD%5Ccstack%40jesuits.org.%26nbsp%3B%20It%20would%20not%20accept%20the%20username%20until%20I%20deleted%20out%20the%20AzureAD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86099%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86099%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20experience%20was%20that%20most%20users%20seemed%20to%20have%20to%20re-sign%20into%20outlook.%26nbsp%3B%20I%20am%26nbsp%3BAzure%20AD%20connected%20and%20my%20experience%20was%20a%20bit%20different.%26nbsp%3B%20Outlook%20came%20up%20with%20the%20username%20and%20password%20prompt%20but%20the%20username%20listed%20AzureAD%5Ccstack%40jesuits.org.%26nbsp%3B%20It%20would%20not%20accept%20the%20username%20until%20I%20deleted%20out%20the%20AzureAD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86093%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86093%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Matt%2C%20what%20exactly%20are%20you%20referring%20to%20when%20you%20say%20%22%20%26nbsp%3BAzure%20AD%20ADAL%20support%20is%20enabled%22%3F%3C%2FP%3E%3CP%3EI%20was%20referring%20to%20the%20intial%20comments%20about%20enabling%20Oauth%20in%20ExO.%20After%20doing%20that%2C%20our%20users%20were%20not%20prompted%20to%20sign%20in%20to%20Outlook%20again....%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86062%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86062%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20true%20that%20only%20MFA%20enabled%20users%20will%20be%20prompted%20to%20set%20up%20their%20second%20factor%2C%20but%20that%20wasn't%20really%20the%20question.%20The%20question%20is%20what%20will%20happen%20when%20Azure%20AD%20ADAL%20support%20is%20enabled.%20In%20my%20experience%20all%20of%20our%20users%20with%20an%20Outlook%20profile%20configured%20were%20prompted%20to%20sign%20in%20again%20to%20Outlook%20using%20the%20new%20authentication%20flow.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86049%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86049%22%20slang%3D%22en-US%22%3E%3CP%3EHmm%2C%20did%20not%20see%20that%20at%20all.%20Only%20MFA%20enabled%20users%20were%20requreid%20to%20setup%20their%20config...Everyone%26nbsp%3Belse%20was%20fine.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86048%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86048%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20my%20experience%20even%20users%20without%20MFA%20enabled%20were%20prompted%20to%20sign%20in%20again%20to%20Outlook.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86045%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86045%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20they%20shouldnt%20be.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86041%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86041%22%20slang%3D%22en-US%22%3E%3CP%3EApologies%2C%20should%20have%20been%20a%20little%20more%20specific.%3C%2FP%3E%3CP%3EI%20am%20curious%20as%20to%20whether%20or%20not%20users%20who%20are%20not%20MFA%20enabled%20will%20be%20prompted%20after%20enabling%20Modern%20Authentication%3F%3C%2FP%3E%3CP%3EInitial%20role%20out%20of%20MFA%20is%20only%20to%20a%20couple%20of%20users%20but%20they%20will%20be%20the%20tests%20for%20everyone%20else.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-G%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85860%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85860%22%20slang%3D%22en-US%22%3E%3CP%3EEugene%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20did%20go%20forward%20with%20this.%26nbsp%3B%20It%20was%20very%20simple.%26nbsp%3B%20We%20chose%20to%20warn%20our%20users%20since%20they%20got%20prompted%20to%20sign%20in%20and%20we%20wanted%20everyone%20to%20reboot.%26nbsp%3B%20We%20announced%20to%20our%20users%20that%20this%20would%20be%20done%20early%20morning%20on%20a%20Tuesday.%26nbsp%3B%20It%20went%20very%20smoothly%20and%20everyone%20got%20their%20focused%20inbox%20and%20then%20on%20Thursday%20we%20trainied%2Fdemoed%20focus%20inbox%20(and%20some%20other%20features%20of%20views%20in%20Outlook)%20via%20webinar%20to%20all%20our%20regional%20offices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85829%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85829%22%20slang%3D%22en-US%22%3E%3CP%3EIts%20pretty%20seemless.%20Just%20be%20aware%20that%20some%20clients%20do%20not%20support%20it%20(such%20as%20the%20native%20activesync%20email%20client%20on%20Iphones).%20In%20those%20cases%2C%20you%20have%20to%20use%20app%20passwords%20if%20using%20Azure%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-85737%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-85737%22%20slang%3D%22en-US%22%3EDid%20you%20ever%20move%20forward%20with%20this%20and%20what%20was%20your%20experience%3F%3CBR%20%2F%3EI%20am%20getting%20ready%20to%20perform%20the%20same%20task.%3CBR%20%2F%3E%3CBR%20%2F%3E-G%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-69981%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69981%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20did%20not%20experience%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-69974%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69974%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20being%20over%20cautious%20but%20I%20also%20want%20to%20make%20sure%20that%20running%20this%20command%26nbsp%3B%3C%2FP%3E%3CP%3ESet-OrganizationConfig%20-OAuth2ClientProfileEnabled%20%24true%3C%2FP%3E%3CP%3Ewill%20NOT%20have%20any%20affect%20on%20my%20end%20users.%26nbsp%3B%20I%20do%20not%20want%20them%20to%20be%20prompted%20to%20sign%20in%20via%20Office%202016%20(Pro%20Plus)%20or%20mobile%20apps.%26nbsp%3B%20Can%20someone%20please%20re-confirm%20that%20I%20do%20NOT%20have%20to%20warn%20my%20users%20of%20a%20change.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChristine%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-67389%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67389%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20was%20my%20exact%20fear%2C%20but%20we%20enabled%20for%20modern%20auth%20for%20EOL%20and%20no%20users%20were%20prompted%2C%20yet.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61699%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61699%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Math%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20for%20that%20feedback%20and%20the%20best%20approach%20is%20to%20comunicate%20the%20users%20first%20what%20will%20come%20a%20new%20feature.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20will%20understand%20and%20we%20hope%20you%20change%20it%20in%20summer.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61675%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61675%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20tested%20enabling%20this%20today%20and%20was%20not%20successful.%20When%20I%20made%20the%20change%2C%20out%20Outlook%20users%20were%20all%20prompted%20to%20sign%20in%20to%20Outlook%20again%2C%20and%20some%20were%20even%20presented%20with%20our%20IDP%20sign%20in%20page%20instead%20of%20the%20normal%20Outlook%20sign-in%20box.%20I%20reverted%20the%20setting%20to%20make%20sure%20that%20further%20users%20wouldn't%20be%20affected%20by%20this.%20At%20this%20point%20I%20think%20I'll%20wait%20until%20summer%20to%20try%20this%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61505%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61505%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F50%22%20target%3D%22_blank%22%3E%40Nuno%20Silva%3C%2FA%3E%26nbsp%3BThanks!%20Sounds%20like%20I'm%20worrying%20over%20nothing!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61500%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61500%22%20slang%3D%22en-US%22%3EThanks%20Vasil!%20That's%20exactly%20what%20I%20was%20getting%20at!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61497%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61497%22%20slang%3D%22en-US%22%3E%3CP%3EPowerShell%20will%20work%20just%20fine%2C%20in%20fact%20%22pure%22%20PowerShell%20to%20date%20does%20not%20support%20Modern%20authentication%2C%20yet%20we%20are%20still%20able%20to%20connect%20via%20the%20legacy%20method.%20Now%2C%20if%20you%20have%20the%20actual%20account%20enabled%20for%20MFA%2C%20connecting%20with%26nbsp%3B%22pure%22%26nbsp%3BPowerShell%20will%20not%20work.%20You%20will%20have%20to%20use%20the%20new%2C%20ADAL-aware%20module%20instead.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61422%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61422%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Matt%2C%20I%20could%20not%20be%20a%20problem%20to%20that%20because%20the%20method%20used%20in%20Powershell%20is%20different%2C%20I%20have%20connections%20using%20powershell%20without%20any%20problems.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3A%20The%20faq%20is%20older%20than%20the%20previous%20link.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61418%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61418%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F50%22%20target%3D%22_blank%22%3E%40Nuno%20Silva%3C%2FA%3E%26nbsp%3BThanks%2C%20but%20at%20the%20moment%20I'm%20really%20just%20referring%20to%20a%20standard%20unattended%20connection%20via%20PowerShell.%20Will%20the%20normal%20sign-in%20still%20work%20once%20modern%20auth%20is%20enabled%20assuming%20MFA%20is%20not%20enabled%20for%20the%20admin%20user%20that%20will%20be%20used%20in%20the%20script%3F%20The%20FAQ%20linked%20above%20seems%20to%20indicate%20that%20the%20traditional%20methods%20of%20connecting%20to%20Exchange%20Online%20will%20not%20work%20with%20Modern%20Auth%20in%20general%2C%20not%20just%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61401%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61401%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Matt%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20see%20here%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt775114(v%3Dexchg.160).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fmt775114(v%3Dexchg.160).aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61382%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61382%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bsorry%2C%20just%20one%20more%20question%20before%20I%20test%20this%20out.%20According%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fblogs.office.com%2F2015%2F11%2F19%2Fupdated-office-365-modern-authentication-public-preview%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emodern%20auth%20FAQ%3C%2FA%3E%2C%20connecting%20to%20Exchange%20Online%20via%20PowerShell%20is%20not%20currently%20supported.%20We%20have%20some%20automation%20tasks%20that%20work%20against%20Exchange%20Online%20and%20the%20Compliance%20Center%20and%20require%20unattended%20sign-in.%20Would%20you%20expect%20these%20to%20break%20once%20modern%20auth%20is%20enabled%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-61084%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-61084%22%20slang%3D%22en-US%22%3EThanks!%20I'll%20test%20this%20out%20soon.%20My%20fear%20was%20that%20changing%20this%20setting%20might%20have%20some%20effect%20on%20users%20with%20current%20outlook%20profiles%2C%20or%20sign%20ins%20on%20mobile%20apps.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60942%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60942%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20are%20simply%20enabling%20another%20auth%20provider%2C%20it%20is%20not%20directly%20tied%20to%20MFA.%20As%20long%20as%20the%20client%20supports%20ADAL%2FModern%20auth%2C%20it%20will%20follow%20the%20new%20auth%20process%20(with%20or%20without%20MFA)%2C%20and%20if%20it%20does%20not%20support%20it%2C%20it%20will%20use%20the%20legacy%20method.%20Apart%20from%20some%20of%20the%20PowerShell%20modules%20and%20sme%203rd%20party%20apps%2C%20all%20apps%20should%20have%20proper%20support%20for%20Modern%20auth%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60859%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60859%22%20slang%3D%22en-US%22%3E%3CP%3EI%20only%20have%20MFA%20enabled%20on%20vendor%20accounts.%20Enabling%20MFA%20by%20itself%20did%20not%20change%20the%20user%20experience%20for%20non-MFA%20enabled%20user%20accounts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60858%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60858%22%20slang%3D%22en-US%22%3EIs%20that%20because%20you%20have%20MFA%20enabled%3F%20We%20don't%20have%20this%20enabled%20yet%2C%20except%20for%20a%20few%20test%20users.%20Don%20you%20believe%20that%20if%20I%20make%20these%20changes%20that%20no%20one%20will%20notice%20a%20difference%20in%20sign%20in%20process%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60843%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60843%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Matt%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20not%20risky%20at%20all.%20At%20my%20experience%20it's%20simple%20as%20you%20mention.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-60815%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-60815%22%20slang%3D%22en-US%22%3E%3CP%3EI%20didn't%20experience%20any%20issues%20when%20enabling%20OAuth%20in%20my%20tenancy%20-%20apart%20from%20not%20being%20able%20to%20log%20in%20to%20my%20account%20when%20on%20a%20different%20users%20PC%2C%20which%20is%20to%20be%20expected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20rollback%20is%20easy%20enough%2C%20though%20be%20sure%20to%20communicate%20the%20change%20to%20your%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-699313%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-699313%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F157%22%20target%3D%22_blank%22%3E%40Brian%20Reid%3C%2FA%3E%26nbsp%3BBut%20it%20still%20hasn't%20-%20and%20there%20isn't%20communication%20on%20whether%20it%20is%20'done'%20or%20will%20'be%20done'.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-699514%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-699514%22%20slang%3D%22en-US%22%3EYou%20can%20check%20the%20setting%20in%20Skype%20for%20Business%20Online%20PowerShell%20to%20see%20if%20it%20has%20changed%20in%20your%20tenant.%20There%20is%20not%20often%20communication%20that%20a%20rollout%20has%20finished.%20And%20then%20if%20you%20are%20not%20using%20ADFS%2C%20just%20enable%20ADAL%20for%20Skype%20and%20then%20again%20for%20Exchange.%20If%20you%20have%20ADFS%20then%20you%20need%20to%20change%20any%20claims%20rules%20you%20have%20for%20Skype%20and%20Exchange.%20If%20you%20don't%20have%20claims%20rules%20then%20enable%20ADAL%20and%20consider%20moving%20to%20AzureAD%20SSO%20instead%20of%20ADFS%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-699521%22%20slang%3D%22en-US%22%3ERe%3A%20Risks%20when%20enabling%20ADAL%20for%20Exchange%20Online%20and%20Skype%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-699521%22%20slang%3D%22en-US%22%3EI%20have%20checked%20%3A)%3C%2Fimg%3E%20and%20its%20not%20enabled%2C%20not%20for%20Exchange%20Online%20or%20Skype%204%20Business%3C%2FLINGO-BODY%3E
Matt McNabb
Contributor

I'm considering enabling ADAL/Oauth for our Office 365 tenant to begin working with MFA, and am using the information in this wiki:

https://social.technet.microsoft.com/wiki/contents/articles/36101.office-365-enable-modern-authentic...

 

It seems relatively trivial to enable this, but I have some reservations about making the change. Does anyone know of risks involved, or any differences that users who don't have MFA enabled might see? Will the current sign in workflow still look the same for everyone? We use the web applications, Office 2016, and iOS and Android applications for access.

 

Thanks!

53 Replies

I didn't experience any issues when enabling OAuth in my tenancy - apart from not being able to log in to my account when on a different users PC, which is to be expected.

 

The rollback is easy enough, though be sure to communicate the change to your users.

Hi Matt,

 

It's not risky at all. At my experience it's simple as you mention.

Is that because you have MFA enabled? We don't have this enabled yet, except for a few test users. Don you believe that if I make these changes that no one will notice a difference in sign in process?

I only have MFA enabled on vendor accounts. Enabling MFA by itself did not change the user experience for non-MFA enabled user accounts.

Solution

You are simply enabling another auth provider, it is not directly tied to MFA. As long as the client supports ADAL/Modern auth, it will follow the new auth process (with or without MFA), and if it does not support it, it will use the legacy method. Apart from some of the PowerShell modules and sme 3rd party apps, all apps should have proper support for Modern auth now.

Thanks! I'll test this out soon. My fear was that changing this setting might have some effect on users with current outlook profiles, or sign ins on mobile apps.

@Vasil Michev sorry, just one more question before I test this out. According to the modern auth FAQ, connecting to Exchange Online via PowerShell is not currently supported. We have some automation tasks that work against Exchange Online and the Compliance Center and require unattended sign-in. Would you expect these to break once modern auth is enabled?

@Nuno Silva Thanks, but at the moment I'm really just referring to a standard unattended connection via PowerShell. Will the normal sign-in still work once modern auth is enabled assuming MFA is not enabled for the admin user that will be used in the script? The FAQ linked above seems to indicate that the traditional methods of connecting to Exchange Online will not work with Modern Auth in general, not just MFA.

Hi Matt, I could not be a problem to that because the method used in Powershell is different, I have connections using powershell without any problems.

 

Note: The faq is older than the previous link.

PowerShell will work just fine, in fact "pure" PowerShell to date does not support Modern authentication, yet we are still able to connect via the legacy method. Now, if you have the actual account enabled for MFA, connecting with "pure" PowerShell will not work. You will have to use the new, ADAL-aware module instead.

Thanks Vasil! That's exactly what I was getting at!

@Nuno Silva Thanks! Sounds like I'm worrying over nothing!

So I tested enabling this today and was not successful. When I made the change, out Outlook users were all prompted to sign in to Outlook again, and some were even presented with our IDP sign in page instead of the normal Outlook sign-in box. I reverted the setting to make sure that further users wouldn't be affected by this. At this point I think I'll wait until summer to try this again.

Hi Math,

 

Many thanks for that feedback and the best approach is to comunicate the users first what will come a new feature.

 

We will understand and we hope you change it in summer.

This was my exact fear, but we enabled for modern auth for EOL and no users were prompted, yet.

I am being over cautious but I also want to make sure that running this command 

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

will NOT have any affect on my end users.  I do not want them to be prompted to sign in via Office 2016 (Pro Plus) or mobile apps.  Can someone please re-confirm that I do NOT have to warn my users of a change.

 

Thanks

 

Christine

 

We did not experience that.

Did you ever move forward with this and what was your experience?
I am getting ready to perform the same task.

-G

Its pretty seemless. Just be aware that some clients do not support it (such as the native activesync email client on Iphones). In those cases, you have to use app passwords if using Azure MFA.

Eugene,

 

We did go forward with this.  It was very simple.  We chose to warn our users since they got prompted to sign in and we wanted everyone to reboot.  We announced to our users that this would be done early morning on a Tuesday.  It went very smoothly and everyone got their focused inbox and then on Thursday we trainied/demoed focus inbox (and some other features of views in Outlook) via webinar to all our regional offices.

Apologies, should have been a little more specific.

I am curious as to whether or not users who are not MFA enabled will be prompted after enabling Modern Authentication?

Initial role out of MFA is only to a couple of users but they will be the tests for everyone else.

 

-G

 

No, they shouldnt be.

 

In my experience even users without MFA enabled were prompted to sign in again to Outlook.

Hmm, did not see that at all. Only MFA enabled users were requreid to setup their config...Everyone else was fine.

It's true that only MFA enabled users will be prompted to set up their second factor, but that wasn't really the question. The question is what will happen when Azure AD ADAL support is enabled. In my experience all of our users with an Outlook profile configured were prompted to sign in again to Outlook using the new authentication flow.

Hi Matt, what exactly are you referring to when you say "  Azure AD ADAL support is enabled"?

I was referring to the intial comments about enabling Oauth in ExO. After doing that, our users were not prompted to sign in to Outlook again....

My experience was that most users seemed to have to re-sign into outlook.  I am Azure AD connected and my experience was a bit different.  Outlook came up with the username and password prompt but the username listed AzureAD\cstack@jesuits.org.  It would not accept the username until I deleted out the AzureAD.

My experience was that most users seemed to have to re-sign into outlook.  I am Azure AD connected and my experience was a bit different.  Outlook came up with the username and password prompt but the username listed AzureAD\cstack@jesuits.org.  It would not accept the username until I deleted out the AzureAD.

As a precautionary measure we notified all users that they may have to re-credential then went ahead and enabled it modern authentication.

Not sure what the difference in environment was, but we didn't get a single call to help desk, which we normally would have. (We do quite a bit of hand holding here)

We run a hybrid environment if that makes any difference.

 

-G

Hi Eugine,

 

I am working on Enabling MFA for my org which is about 1500 users. I can pass on a few tips that might save you some grief.

 

# Enabling ADAL is something you do globally for Exchange Online and for Skype for Business. Enabling the feature will not break legacy connections (Basic).
# Office 2016 and the lastest SFB client support modern Auth natively. Office 2013 can support it also you must ensure you have it up to date and you must manually add the registry keys below. Office 2010 and Sharepoint 2013 designer (if you use it) do NOT support ADAL and therefor can not be used without an App Password
# iOS 11.01 native mail app does support ADAL but S7 Samsung does not 
#Both Exchange Online and Skype for Business Powershell now support Modern Auth however this will cause an issue for scripts you may have previuously created. (I used an cloud only automation account to get around this)
# Enabling MFA (enforcing 2 factor) caused some issues in our pilot and it was very apparent that Windows must also be up to date. 
# the GUI Bulk add for MFA does not support more than 20 users per upload. (so silly)
--------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Exchange]
"AlwaysUseMSOAuthForAutodiscover"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity]
"Version"=dword:00000001
"EnableADAL"=dword:00000001

-------------------------------

 

 

I hope this gives you some value. having known this ahead of time would have saved me hours of work.

Best of luck

 

 

Very helpful info Ryan, thank you.  Question for you.

 

# iOS 11.01 native mail app does support ADAL but S7 Samsung does not 

 

For the S7 scenario, does this apply to all users, or only users with MFA enabled?  We have BYOD users with mobile devices that are all over the place version-wise, and I'm curious to know if we flip the switch on this, will these users lose access even if they aren't using MFA?

 

Thanks

sorry for the delay.

 

My experience has been only users that have MFA enabled are affected. 

My testing is showing the same, thanks!

I would always recommend advising your users of the change. It's cover for the unpredictable that happens with new implementation. If no one notices, just tell them that you we're on top of it and it was only a precaution  :)

Hi Ryan,

     Just wanted to say: THANK YOU SOOO MUCH!  I've spent over 6 hours trying to figure out why Outlook wouldn't accept my password after enabling MFA.  Then, 4 hours on the phone with Microsoft with no resolution.  Your list of tips helped me get everything all squared away.  The ticket for me was the "EnableADAL"=dword:00000001 registry entry.  Many many thanks!  My next step would have been to rebuild my workstation!  Even after turning off MFA for my account, I was completely locked out of Outlook and couldn't reactivate any O365 Office applications.  You sir, are a HERO! :)

 

Regards,

Bertie Pittman

I know that this is an old thread, and I am hoping someone here is monitoring and will reply.  We have an Office 365 tenant with about 200 users.  Each user has two or more devices, so we have about 500 devices in total.  The clients are mostly Outlook 2016 and the iOS Native Mail Client using ActiveSync EAS.  We have a few other clients including Outlook for Mac, Outlook for iOS, Outlook for Android and the native Android mail client.  We have already implemented MFA for all users and devices. 

 

In addition to Exchange we also use Skype for Business, Onedrive and SharePoint to a limited extent.

 

Unfortunately, I just found out that Modern Authentication is disabled for our entire tenant.  We had assumed that it was enabled since most articles say that it is enabled by default, so we never verified.  In order to make all these clients work with MFA we set them all up with App Passwords. 

 

Recent guidance from Microsoft said that we should disable legacy authentication and only use modern authentication, so we checked the status of the tenant.

 

If I now turn on Modern Authentication now for our tenant, is this going to force all the users to re-enter their passwords on every device?  Do you think that we will also need to push out these registry changes to the Outlook 2016 clients?

 

Any thoughts or advice would be appreciated.

 

Thanks

Hi Jon,

 

I would expect Outlook 2016 to be OK - Modern Authentication should be enabled by default so unless you've disabled it via policy, it should be fine.

 

I believe the native iOS client also supports Modern Authentication, but only starting from iOS11. You may have some issues with older iPhones. I'm afraid I don't have any information surrounding the Android and Mac clients, however I would suggest implementing Outlook for iOS, Android, and Mac across the board as this will give you the best experience as well as additional safety (such as ATP).

 

Thanks

Daniel 

Thanks for the quick response. 

 

Yes, we want to implement and we know that we need to implement. 

 

But my main concern is the potential disruption of having to re-enter passwords and push registry changes to 500 devices, which is substantial.  

 

Since this is a global change for the entire tenant, I do not know of a way to test on a limited basis for different types of clients to understand the impact.

Daniel,

 

Sorry, I did not specifically address your comment:

 

Modern Authentication should be enabled by default so unless you've disabled it via policy, it should be fine.

 

For whatever reason, Modern Authentication was disabled in our tenant.  I do not know why.  This is the reason I posted this question and why I am concerned.

 

This is a tenant wide change and it seems the behavior of all the clients will change.

 

I opened a case with Microsoft Support, and they told me that MFA App Passwords will no longer function after I enable Modern Authentication on the tenant.  They said that all the users will be immediately prompted to re-enter then passwords and then use their OTP to authentication. 

 

So I am very concerned about this and I do not think that I can enable Modern Authentication now.

 

Thanks again for your help.

 

 

 

 

Modern Auth is only enabled by default on new tenants since Aug 2017. Tenants created before then need to enable it, and the sooner the better, as then you can do seemless MFA (i.e. no app passwords).

If you have already rolled out app passwords for users and on Office 2016 or later then turning on Modern Auth will impact the users, as they will stop needing to use their app passwords and use their proper password. That's an impact to the user.

That said, without app passwords already in use (so no MFA already), if you enable Modern Auth and have SSO enabled (and the correct registry settings and URL in place) then the user will not see the new login box (this will also help if app passwords are used, as the SSO will kick in). Without SSO enabled then the user will see something

Brian,

 

Thanks for confirming.  I really wish that Microsoft did a better job of communicating this significant piece of information about MFA App Passwords not working with Modern Authentication.  I still have not found any Microsoft article or document that explains this.  All articles that I read tell you to use App Passwords with non-browser based clients like Outlook and ActiveSync clients.  If we had checked for this in advance, we would not be in this mess.

 

I do not think that I can turn Modern Authentication on at this point and disrupt all of our users.  If App Passwords would continue to work after enabling Modern Authentication, we could gradually transition our users.

Any articles that discuss app passwords are old and out of date by at least a few years. App passwords matter only when on Outlook 2010 (generally speaking) and older PowerShell modules.

Instead turn on SSO and Modern Authentication and then the user will automatically sign in (if domain joined on the Lan).

Brian,

 

Thanks for the help and advice.

 

Again, I wish that the Microsoft articles were clear on this issue.  If I knew this six months ago, we would not be in this current bad situation.

Joining this topic very late but after hitting an immediate problem with modern authentication in Office 2016 semi-annual (v1803), I wouldn't agree that turning on modern authentication is safe! I've just done a trial this evening after getting permission from the account and the test users immediately his the fault discussed here:

https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Azure-AD-W10-and-Outlook/td-p/96119

This fault/issue is fixed in the current targeted semi-annual release (v1808) but occurs in the current semi-annual release (v1803 - which most Office 365 users are on). This version was released in July this year so the issue has only been recently fixed. It'll be fixed in the next semi-annual release in January so not that long to wait.
>If we had checked for this in advance, we would not be in this mess.

I feel your pain! My client only has 50 users but I'd shudder to think what a mess you could get into with hundreds of thousands of users.

My take on Office 365 right now is that it's still a mixed up bunch of only just compatible technologies. Getting all the various factions to work together so that all features work with all components at the same time just seems too difficult.

And the MFA disaster on Monday this week makes me glad I didn't push my main client to enable MFA...
An interesting observation. The other take on this is that Microsoft cannot just change everything on a whim to suit the latest changes in their products because their customers expect backward compatibility at nearly any cost. So much so that when impacting changes come out the implementation that you need to put in is completely dependent upon the client and the mix of client or server technologies in use and that is the role the deployment consultant brings to the table. Even if you do the work yourself, experience is necessary.
Yes backwards compatibility is both positive and negative at the same time. Whilst it might sound like one is taking a pop, but I do understand how fiendishly hard it is to move forward when you have a huge incredibly complicated infrastructure where lots of things have to change at the same time for it to be totally successful. Authentication is obviously one of these areas. Just look at how long it's taking to improve email security/combat spam. It's obviously a lot harder when there are 3rd party components in the chain.

But the specific case I mention about Outlook v1803 does annoy somewhat - when Microsoft is in control of *all* the components (Windows, Edge, Office, Skype, SharePoint, Exchange, Azure AD etc), it does surprise me how often one comes across showstopper problems - and how long it takes to fix it.

Edge issues are another area where I'm loosing the plot. I've *tried* to encourage my customers to use Edge (because **bleep** should work better because it's all Microsoft) but increasingly I have to accept it's used to install Chrome :( I even had a support case with Microsoft this week where they suggested I used Chrome for debugging. Rolls eyes!
LOL - like the bleep above. I'd mistakenly added a t before "it". Let's hope Microsoft never introduce a product called after a little bird :)