Turning on Modern Authentication with mixed Outlook versions

%3CLINGO-SUB%20id%3D%22lingo-sub-134703%22%20slang%3D%22en-US%22%3ETurning%20on%20Modern%20Authentication%20with%20mixed%20Outlook%20versions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134703%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20not%20yet%20turned%20on%20Modern%20Authentication%20in%20our%20tenant.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOur%20scenario%3A%3C%2FP%3E%0A%3CP%3EHybrid%20environment%20with%20Exchange%202010%20and%20Office%20365%20without%20ADFS.%3C%2FP%3E%0A%3CP%3EWe%20have%20approximately%201.5k%20users%20with%20an%20Enterprise%20E3%20licenses%20and%20Office%20365%20ProPlus%202016%3C%2FP%3E%0A%3CP%3EAnother%201.5k%20users%20with%26nbsp%3B%3CSPAN%3EEnterprise%3C%2FSPAN%3E%26nbsp%3BE1%20license%20and%20Office%202010%20(we%20still%20have%20a%20lot%20of%20licenses%20for%20Ofiice%202010%2C%20and%20E3%20is%20quite%20expensive)%3C%2FP%3E%0A%3CP%3EAnd%20another%202k%20users%20with%20%3CSPAN%3EEnterprise%26nbsp%3B%3C%2FSPAN%3EF1%20(formerly%20K1)%20licenses.%3C%2FP%3E%0A%3CP%3EMulti-Factor%20Authentication%20is%20enforced%20on%20all%20our%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20Outlook%20and%20Skype%20for%20Business%20profiles%20have%20been%20set%20up%20with%20an%20App%20Password%20because%26nbsp%3Bof%20MFA.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20we%20enable%20Modern%20Authentication%2C%20what%20would%20happen%20with%20all%20those%20configured%20accounts%3F%3C%2FP%3E%0A%3CP%3EWould%20they%20get%20another%20login%20prompt%20or%20would%20it%20just%20continue%20to%20work%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20no%20way%20to%20enable%20it%20to%20a%20couple%20of%20users%20and%20see%20what%20would%20happen.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20what%20about%20the%20users%20who%20still%20have%20Office%202010%3F%20Would%20they%20be%20able%20to%20continue%20working%20with%20the%20App%20Passwords%3F%3C%2FP%3E%0A%3CP%3EOr%20would%20we%20render%20them%20to%20be%20unable%20to%20login%20in%20Outlook%20anymore%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20hard%20for%20us%20to%20know%20what%20the%20consequences%20are.%3C%2FP%3E%0A%3CP%3EThe%20last%20thing%20we%20want%20is%20to%20cause%20issues%20with%20users'%20Outlook%20and%20Skype%20for%20Business.%3C%2FP%3E%0A%3CP%3EIt%20took%20us%20a%20lot%20of%20effort%20to%20teach%20them%20about%20MFA%20and%20App%20Passwords.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-134703%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EProPlus%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESkype%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134846%22%20slang%3D%22en-US%22%3ERe%3A%20Turning%20on%20Modern%20Authentication%20with%20mixed%20Outlook%20versions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134846%22%20slang%3D%22en-US%22%3E%3CP%3EAn%20ideal%20scenario%20would%20be%20that%20we%20enable%20it%20for%20the%20whole%20organization%20and%20nothing%20would%20change%20for%20all%20accounts%20that%20are%20already%20configured.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20would%20then%20let%20most%20of%20it%20phase%20out%3A%3C%2FP%3E%0A%3CP%3E-%26gt%3B%20New%20users%20would%20get%20Modern%20Auth%3C%2FP%3E%0A%3CP%3E-%26gt%3B%20Existing%20users%20receiving%20new%20device%20would%20get%20Modern%20Auth%3C%2FP%3E%0A%3CP%3E-%26gt%3B%20We%20would%20switch%20others%20in%20batches%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20would%20allow%20us%20to%20do%20it%20at%20our%20own%20pace%20without%20causing%20a%20big%20bang%20by%20enabling%20it%20for%20the%20whole%20organization.%3CBR%20%2F%3EHowever%2C%20I%20couldn't%20find%26nbsp%3B%3CSTRONG%3Eany%3C%2FSTRONG%3E%20official%20article%20that%20explained%20this%20in%20detail.%3C%2FP%3E%0A%3CP%3ENowhere%20is%20mentioned%20what%20would%20happen%20to%20existing%20clients%20and%20older%20Outlook%20versions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20yes%2C%20we%20don't%20like%20app%20password%20either.%20Modern%20Auth%20would%20allow%20us%20to%20get%20rid%20of%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134717%22%20slang%3D%22en-US%22%3ERe%3A%20Turning%20on%20Modern%20Authentication%20with%20mixed%20Outlook%20versions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134717%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20enable%20Modern%20auth%20server-side%2C%20old%20clients%20will%20still%20be%20able%20to%20connect%20via%20legacy%20auth%2C%20unless%20you%20specifically%20block%20it%20(whether%20you%20can%20actually%20block%20it%20is%20a%20different%20topic%20altogether).%20So%20in%20general%2C%20you%20should%20not%20see%20a%20change%20in%20behavior%20with%20them.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20any%20user%20with%202013%2F2013%20*should*%20switch%20to%20using%20Modern%20auth.%20You%20can%20enable%20it%20client-side%20for%20few%20test%2Fpilot%20users%20and%20make%20sure%20you%20don't%20run%20into%20any%20stopping%20issues%20with%20them.%20I%20would%20even%20advise%20you%20to%20clear%20the%20stored%20credentials%20in%20order%20to%20force%20the%20switch%20if%20it%20doesn't%20automatically%20happen.%20App%20passwords%20are%20an%20ugly%20hack%20and%20you%20should%20stop%20using%20them%20where%20possible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-412973%22%20slang%3D%22en-US%22%3ERe%3A%20Turning%20on%20Modern%20Authentication%20with%20mixed%20Outlook%20versions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-412973%22%20slang%3D%22en-US%22%3EI%20have%20a%20similar%20situation%20although%20slightly%20different%20scenario.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20have%20Outlook%202016%20clients%20in%20Exchange%20Online%20with%20Modern%20Auth%20OFF%20at%20the%20tenant%20level.%20If%20Modern%20Auth%20is%20enabled%2C%20what%20would%20the%20Outlook%20behavior%20be%3F%20Would%20Outlook%20clients%20switch%20silently%20or%20would%20there%20be%20auth%20prompts%3F%3CBR%20%2F%3EThanks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-462800%22%20slang%3D%22en-US%22%3ERe%3A%20Turning%20on%20Modern%20Authentication%20with%20mixed%20Outlook%20versions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-462800%22%20slang%3D%22en-US%22%3EWell%2C%20I'm%20curious%20myself.%20So%20if%20you%20figure%20it%20out%20please%20share%20your%20experience%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-462932%22%20slang%3D%22en-US%22%3ERe%3A%20Turning%20on%20Modern%20Authentication%20with%20mixed%20Outlook%20versions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-462932%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9558%22%20target%3D%22_blank%22%3E%40Aldin%20Turcinovic%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20turned%20on%20Modern%20Auth%20and%20did%20not%20experience%20any%20auth%20prompts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

We have not yet turned on Modern Authentication in our tenant.

 

Our scenario:

Hybrid environment with Exchange 2010 and Office 365 without ADFS.

We have approximately 1.5k users with an Enterprise E3 licenses and Office 365 ProPlus 2016

Another 1.5k users with Enterprise E1 license and Office 2010 (we still have a lot of licenses for Ofiice 2010, and E3 is quite expensive)

And another 2k users with Enterprise F1 (formerly K1) licenses.

Multi-Factor Authentication is enforced on all our users.

 

All Outlook and Skype for Business profiles have been set up with an App Password because of MFA.

 

If we enable Modern Authentication, what would happen with all those configured accounts?

Would they get another login prompt or would it just continue to work?

 

There is no way to enable it to a couple of users and see what would happen.

 

Also, what about the users who still have Office 2010? Would they be able to continue working with the App Passwords?

Or would we render them to be unable to login in Outlook anymore?

 

It's hard for us to know what the consequences are.

The last thing we want is to cause issues with users' Outlook and Skype for Business.

It took us a lot of effort to teach them about MFA and App Passwords.

5 Replies
Highlighted

If you enable Modern auth server-side, old clients will still be able to connect via legacy auth, unless you specifically block it (whether you can actually block it is a different topic altogether). So in general, you should not see a change in behavior with them.

 

But any user with 2013/2013 *should* switch to using Modern auth. You can enable it client-side for few test/pilot users and make sure you don't run into any stopping issues with them. I would even advise you to clear the stored credentials in order to force the switch if it doesn't automatically happen. App passwords are an ugly hack and you should stop using them where possible.

Highlighted

An ideal scenario would be that we enable it for the whole organization and nothing would change for all accounts that are already configured.

 

We would then let most of it phase out:

-> New users would get Modern Auth

-> Existing users receiving new device would get Modern Auth

-> We would switch others in batches

 

This would allow us to do it at our own pace without causing a big bang by enabling it for the whole organization.
However, I couldn't find any official article that explained this in detail.

Nowhere is mentioned what would happen to existing clients and older Outlook versions.

 

And yes, we don't like app password either. Modern Auth would allow us to get rid of it.

Highlighted
I have a similar situation although slightly different scenario.

We have Outlook 2016 clients in Exchange Online with Modern Auth OFF at the tenant level. If Modern Auth is enabled, what would the Outlook behavior be? Would Outlook clients switch silently or would there be auth prompts?
Thanks.
Highlighted
Well, I'm curious myself. So if you figure it out please share your experience :)
Highlighted

@Aldin Turcinovic 

 

We turned on Modern Auth and did not experience any auth prompts.

 

Thanks.