ADFS 2016, Exchange Online, Office 365.

%3CLINGO-SUB%20id%3D%22lingo-sub-1028822%22%20slang%3D%22en-US%22%3EADFS%202016%2C%20Exchange%20Online%2C%20Office%20365.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1028822%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Guys%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETrying%20to%20understand%20something%20here.%20I%20have%20ADFS%202016%20installed%20on-prem%20and%20am%20able%20to%20to%20correctly%20authenticate%20to%20it%2C%20when%20using%20my%20phone%20and%20when%20using%20OWA.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20what%20about%20Outlook%202016%3F%20How%20does%20that%20integrate%20with%20ADFS%3F%20AS%20a%20test%20i%20re-ran%20AD%20connect%20and%20selected%20the%20option%20to%20configure%20an%20existing%20adfs%20server%2C%20everything%20completed%20successfully%2C%20and%20i%20am%20able%20to%20auth%20via%20owa%20etc.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20i%20also%20wanted%20to%20verify%20if%20ADFS%20was%20used%20when%20authenticating%20via%20Outlook%20and%20am%20not%20able%20to%20find%20any%20good%20info%20on%20it%2C%20for%20instance%20if%20i%20completely%20disable%20my%20adfs%20proxy%20server's%20NIC%20then%20i%20am%20still%20able%20to%20auth%20via%20outlook%2C%20but%20as%20expected%20not%20via%20OWA.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20hybrid%20environment%2C%20with%20users%20sync'd%20to%20the%20cloud.%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERobert%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1028822%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eadfs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1031734%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%202016%2C%20Exchange%20Online%2C%20Office%20365.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1031734%22%20slang%3D%22en-US%22%3E%3CP%3EOutlook%202016%20and%20above%20supports%20Modern%20authentication%20by%20default%2C%20meaning%20it%20can%20use%20the%20same%20auth%20mechanisms%20as%20the%20browser%20client.%20However%2C%20MA%20needs%20to%20be%20enabled%20both%20client%20side%20and%20server%20side.%20The%20easiest%20way%20to%20tell%20is%20to%20simply%20look%20at%20the%20login%20prompt%20you%20are%20getting.%20Or%20if%20you%20want%20to%20check%20on%20the%20AD%20FS%20server%20side%2C%20the%20audit%20logs%20should%20show%20calls%20to%20the%20%2Fadfs%2Fls%20endpoint.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hey Guys, 

 

Trying to understand something here. I have ADFS 2016 installed on-prem and am able to to correctly authenticate to it, when using my phone and when using OWA. 

 

However, what about Outlook 2016? How does that integrate with ADFS? AS a test i re-ran AD connect and selected the option to configure an existing adfs server, everything completed successfully, and i am able to auth via owa etc. 

 

However i also wanted to verify if ADFS was used when authenticating via Outlook and am not able to find any good info on it, for instance if i completely disable my adfs proxy server's NIC then i am still able to auth via outlook, but as expected not via OWA. 

 

This is a hybrid environment, with users sync'd to the cloud. 

Any ideas? 

 

Thanks, 

 

Robert 

3 Replies
Highlighted

Outlook 2016 and above supports Modern authentication by default, meaning it can use the same auth mechanisms as the browser client. However, MA needs to be enabled both client side and server side. The easiest way to tell is to simply look at the login prompt you are getting. Or if you want to check on the AD FS server side, the audit logs should show calls to the /adfs/ls endpoint.

Highlighted

@Vasil Michev 

 

Thanks for the response. I don't think I asked the question right. Everything is working fine, however what I wanted to know was why I was able to authenticate successfully using outlook when the ADFS server was not accessible via the internet. I can also add a new account as well, and still Auth again when my ADFS server is inaccessible. 

 

I have PTA auth enabled in the tenant as well, I cant figure out how to disable it, even though i turned it off via Ad Connect. 

 

Thanks, 

 

Robert 

Highlighted

As long as you have a valid refresh token, the local AD FS server plays no role. Only when the token expires the client will be redirected to the AD FS server.