Enable Modern Authentication

By | October 23, 2019

At the moment many companies have a lot of data in public cloud, that data is usually secured by user identities, it’s common that users choose a weak and common password, that are easy for hackers to recognize.
By enabling Multi-factor authentication (MFA) you are able to secure your user identities and your data in a secure and cheap way.
Modern Authentication (OAuth 2.0) is required for authenticating with MFA. You are able to enable OAuth from the Office365 administrator portal or with Powershell, remember to “Remove-PSSession” before closing your Powershell. If you enable it by the administrator portal it will only be turned on for Exchange Online.

Enable OAuth Authentication in Office365 Administrator Portal:

Login to Office portal and browse to Settings –> Services & add-ins –> Modern authentication –> Enable Modern authentication –> Save Changes.

Enable OAuth Authentication for Exchange Online With Powershell:

#Connect to Exchange Online
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange `
-ConnectionUri https://outlook.office365.com/powershell-liveid/ `
-Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

#Get OAuth configuration
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

#Enable OAuth
set-OrganizationConfig -OAuth2ClientProfileEnabled $true

#Disable OAuth
#set-OrganizationConfig -OAuth2ClientProfileEnabled $false

#Remove Powershell Session
Remove-PSSession $Session

Enable OAuth Authentication For Skype for Business Online With Powershell:

To connect to Skype For Business Online you will have to install Powershell Module.
If you are getting the error below, you will have to install Visual Studio C++ Runtime package, it can be found here.

 

Remember to restart your pc after installation of Visual Studio C++ Runtime. After the restart, you should now be able to install the PowerShell module, and connect to Skype For Business Online

 

#Connect Skype For Business Online
$sfboSession = New-CsOnlineSession -UserName [email protected]
Import-PSSession $sfboSession

#Get OAuth configuration
Get-CsOAuthConfiguration

#Enable OAuth
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

#Disable OAuth
#Set-CsOAuthConfiguration -ClientAdalAuthOverride Disallowed

#Remove Powershell Session
Remove-PSSession $sfboSession

Supported Client versions:

Windows Clients:
Office 2016 and forward support modern authentication out-of-the-box.
If you are using Office 2013 you will have to set two registry keys.
Anything lower than Office 2013 will not support modern authentication.
First regkey:
Key Path: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity
Key Name: EnableADAL
Key Type: REG_DWORD
Key Value: 1

Second regkey:
Key Path: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version
Key Name: Version
Key Type: REG_DWORD
Key Value: 1

macOS Clients:
Apple added support for modern authentication in macOS version 10.14 Mojave (Liberty) for their build-in mail application.
macOS does also support installation of Microsoft Office.

iOS Mobile Clients:
Apple added support for modern authentication in iOS version 11.0 for their build-in mail application.
Microsoft Outlook app is also available for iOS.

Android Mobile Clients:
When it comes to Android phones, it really depends on the manufacture of the phone. Samsung built-in email app does support modern authentication. Other manufacturers don’t have support for their app yet, so you won’t be able to add an MFA enforced account to the mail app unless you allow Microsoft App Password, But that method will bypass all of your conditional access policies which is a really bad idea.
As an alternative, you can use Microsoft Outlook app.

Leave a Reply

Your email address will not be published.