Basic Authentication vs. Modern Authentication and How to Enable It in Office 365
According to a Verizon report, the majority of data breaches are made possible by compromised credentials, especially on email servers. Social engineering, credential phishing and brute force attacks are some of the methods used by malicious actors to steal credentials.
To improve the security of Office logins and help prevent data breaches, Microsoft introduced the modern authentication method. This method requires additional user authentication and authorization when connecting to online Office 365 resources.
Due to its significant benefits, modern authentication has been enabled by default in all Office 365 tenants created since 2017. It is the only login method available for Office 365 apps and services. However, in hybrid on-premises–cloud Office deployments, you need to enable modern authentication manually for older Office client versions and disable basic authentication where possible.
This blog offers a short overview of the basic and modern authentication methods for hybrid Office deployments and provides the steps to enable modern authentication in Office 365.
Modern Authentication vs. Basic Authentication
Until the deprecation of basic authentication scheduled for the end of 2022, Microsoft will provide two types of authentication for hybrid deployments of Exchange and Skype for Business: basic authentication and modern authentication. Note that for connecting to SharePoint Online using a client, only modern authentication and Microsoft Online Sign-in Assistant are available.
These two authentication methods widely differ in terms of protection capabilities. Even though basic authentication will be deprecated later this year, it’s important to understand the differences between the two options.
What is basic authentication?
Basic authentication is the process of connecting to Office 365 applications using only a username and password. When you enter your username and password in an email client, these are transmitted to Exchange Online for verification and authentication before connecting you to the cloud service.
This is an outdated method that can no longer provide adequate protection against credential threats. One of the main vulnerabilities of basic authentication is that applications store user credentials on the device, which creates more opportunities for hackers trying to steal passwords. Moreover, many of Microsoft’s identity and access management features, like Conditional Access and multi-factor authentication (MFA) are not available with this Office 365 legacy authentication.
What is modern authentication?
Modern authentication is a combination of different authentication and authorization methods to access Microsoft Office cloud resources. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0.
- Active Directory Authentication Library is an authentication tool for apps to access secured resources via security tokens. With ADAL, users also get single sign-on (SSO) for seamless access to the Office 365 resources available to them.
- OAuth 2.0 is an authorization protocol that allows users to access resources via a client app using access tokens. This framework involves access delegation and, as such, user credentials are not shared with the resource server.
The modern authentication framework adds an extra layer of security for users logging in to their Microsoft 365 resources from client apps. In addition, this framework allows for the activation of multi-factor authentication (MFA) and the use of Conditional Access policies.
How to Enable Modern Authentication in Office 365
For Microsoft tenants created before August 2017, there are different methods to enable modern authentication in Office 365:
Using the Microsoft 365 admin center
To turn on modern authentication in Office 365 through the admin center:
- Log in to the Microsoft 365 admin center.
- In the left navigation pane, expand Settings and then click Org settings.
- Under Services, choose Modern authentication.
- Select the Turn on modern authentication for Outlook 2013 for Windows and later (recommended) checkbox.
- Click Save.
Using Exchange Online PowerShell
Follow the steps below to turn on modern authentication using Exchange Online PowerShell:
- Connect to Exchange Online PowerShell.
- Run the following command for Outlook 2013 or later clients:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true - Verify that the change was successful and modern authentication was enabled with this command:
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
It is important to note that this does not stop you from using the basic authentication method. However, you can force the use of O365 legacy authentication in Outlook 2013 or later by running the command:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $false
Disabling Office 365 Basic Authentication
After enabling modern authentication in Office 365, you can now disable the basic authentication protocols. However, you need to make sure that no users benefit from it. Follow these steps to check if anyone is using basic authentication:
- Open your Microsoft Azure account.
- Access the Azure Active Directory.
- Choose Sign-in logs in the left navigation pane.
- Change Date range to Last 7 days or more.
- Click Add filters.
- Select Client app then click Apply.
- Click on the newly created filter Client app.
- Tick all boxes under Legacy Authentication Clients
- Click Apply.
This list includes all sign-in events with their corresponding users and applications. Before you disable basic authentication, you can migrate all these applications to the modern authentication protocols so you would not lose them.
To disable O365 legacy authentication:
- Access the Microsoft 365 admin center.
- In the left navigation pane, expand Settings and click Org settings.
- Choose Modern authentication under Services.
- Deselect all checkboxes under Allow access to basic authentication protocols.
- Click Save.
Outlook Modern Authentication
While the latest Outlook editions support modern authentication by default, adding it to older clients requires manual configuration. Different versions of Outlook have varying requirements when it comes to enabling modern authentication:
- Outlook 2010 or earlier: Modern authentication is not supported and you need to upgrade Outlook to benefit from this functionality.
- Outlook 2013: Modern authentication is available but not turned on by default, and you should force Outlook to use it once it is enabled.
- Outlook 2016 or later + Outlook 365: Modern authentication is available and enabled by default.
The table below sums up the requirements of each version:
| Outlook Version | Modern Auth | EnableADAL reg key | Force Modern Auth |
| Outlook 2010 | Not supported | Not available | Not available |
| Outlook 2013 | Supported | Required | Required |
| Outlook 2016 | Supported | Not required | Not required |
| Outlook 2019 | Supported | Not required | Not required |
| Outlook 365 | Supported | Not required | Not required |
Modern authentication in Outlook 2013
As previously mentioned, Outlook 2013 supports modern authentication but uses basic authentication by default. You can turn on modern authentication manually.
To do so, you need to add the following keys in the Windows registry:
| Registry Key | Type | Value |
| HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL | REG_DWORD | 1 |
| HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version | REG_DWORD | 1 |
After setting these keys, Microsoft recommends that you add one more registry key to force Outlook 2013 to use modern authentication so it does not revert to the basic authentication. The key you should use is:
| Registry Key | Type | Value |
| HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover | REG_DWORD | 1 |
Modern authentication in Outlook 2016 or later
While modern authentication is enabled by default in Outlook 2016, it is advised that you force modern authentication with the registry key below:
| Registry Key | Type | Value |
| HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover | REG_DWORD | 1 |
Skype for Business Modern Authentication
Since modern authentication is turned off by default for all Microsoft tenants created before August 1, 2017, you need to turn it on manually. Just like in Outlook, you can enable modern authentication in Skype for Business with the following registry keys:
| Registry Key | Type | Value |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Lync\ AllowAdalForNonLyncIndependentOfLync | REG_DWORD | 1 |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync\ AllowAdalForNonLyncIndependentOfLync | REG_DWORD | 1 |
Conclusion
Microsoft is phasing out the O365 legacy authentication since a simple set of credentials can no longer guarantee the needed security protection. Luckily, other security measures are available, and turning on modern authentication in Office 365 is recommended. Once enabled, you can activate multi-factor authentication (MFA), define permissions and restrict access to specific applications for users.
That said, having a third-party comprehensive backup solution ensures optimal protection for Office 365 environments. A complete data protection solution like NAKIVO Backup & Replication includes all the tools you need to protect Microsoft 365 data in your organization.
