One of the Office 365 concepts that gets glossed over a bit is “single sign-on”, in particular when it comes to Outlook. Many will provide the statement that if you implement AD FS, then you have single sign-on.
While it is true that AD FS provides single sign-on for some workloads, I’ve often argued that Outlook, possibly the most popular application used with Office 365, is not single sign-on under any scenario.
Last week Microsoft somewhat quietly updated documentation around “Modern Authentication” which gets us closer to “true” single sign-on.
Below is a link-filled overview of Modern Authentication and how it gets us closer to “true” single sign-on…
Why Outlook Isn’t Single Sign-On Today
In the current process, a user launches Outlook and is prompted for his/her Office 365 credentials. This is because Outlook is actually doing “basic authentication” to Office 365 and if you look at the traffic flows, Exchange Online is authenticating to your on-premises AD FS on behalf of the user. After the user enters the login and password, there is an option to “save” the credentials using the Windows credential manager. So upon the next launch of Outlook, the user is not prompted for credentials again but it is because the credentials are stored. The user will have “reduced sign-on” until the next password change at which point the saved credentials are no longer valid.
I refuse to accept that saving credentials in the credential manager is true “single sign-on”, especially given that you’ve entered your login more than once (seemingly breaking the definition of “single”).
An additional difficulty with the current authentication process is that it doesn’t allow for a good way to implement multi-factor authentication (MFA). So instead of being able to use the Azure Multi-Factor Authentication feature, your only option is the stop-gap “App Passwords” feature which is far from great.
Modern Authentication
Going back to early 2014, we’ve been hearing about “Modern Authentication” and how it will solve some of the above issues. In the past year or so, updates have been announced where the service side was being updated or the clients were being updated. Initially, the list of incompatibilities was pretty lengthy but it’s since been reduced significantly. In March 2015, a public preview was announced and now the functionality can be enabled on your own and comes with production support.
Enabling Modern Authentication
It appears that Modern Authentication is enabled per-workload in Office 365. SharePoint Online is enabled by default, Exchange Online can be enabled by tenant administrators and Skype for Business requires a ticket to Microsoft. On the client side, Office 2016 will use Modern Authentication as first priority and Office 2013 will require a registry change to make it priority. If you’re using AD FS, you’ll want to check out KB3052203 for some additional configuration items. If you’re using AD FS claims, you’ll want to understand how Modern Authentication will impact those rules.
Some Things To Watch Out For
Important to understand is how the token refresh works with Modern Authentication. While the article “Session Timeouts for Office 365” provides a decent overview on the token process, there are some details missing. The article “Frequently Asked Questions about Modern Authentication in Office 2013” provides some important details such as:
- The refresh token may be valid up to 90 days
- A user that acquired a refresh token on the corporate network and then goes off-network will maintain a valid refresh token
- Federated password changes do not invalidate the refresh token
- MFA prompts will not reoccur on a device until the refresh token is invalid
So in the current implementation, it doesn’t look like MFA prompts and the token refresh may be as controlled as people might expect. As with any Office 365 feature, wait a bit and it will improve…
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.
Great Article !!
I have enabled modern authentication via powershell and registry for Outlook client 2013.
My setup is ADFS (Win 2012R2), exchange 2010 Sp3 Cu13 onprem Hybrid deployment with O365 and public folder on Prem, skype for business onPrem. After i enabled the Modern authentication, it provide seamless signon to Outlook and O365 but i see it still asking for password. I checked the Outlook connection status and it trying to connect to my onPrem Exchange 2010. After some troubleshooting, i noticed it asked for credentials because it trying to access the onPrem public folder. If i don’t put in credentials, email and everything works but i cannot expand public folder.
It looks like modern authentication won’t work if user trying to access public folder onPrem and is on Exchange 2010.
Regards,
Dean
Dean-
If you enter credentials and save them for the on-prem PF prompt, does Outlook stop asking for credentials?
Thanks for the feedback
Joe
I do not want the single sign on for my personal computer. Please show how to get rid of it once and for all!