Exchange Online – Modern Authentication and Conditional Access Updates


We’re constantly improving the security of Office 365 products and services. Modern Authentication and Conditional Access are two of the best ways of ensuring that your clients can take advantage of authentication features like multi-factor authentication (MFA), third-party SAML identity providers, and are implementing automated access control decisions for accessing your cloud apps based on conditions.

Firstly, here’s some news about Modern Authentication. As you might already know, all new Office 365 tenants created on or after August 1, 2017 have Modern Authentication enabled by default in Exchange Online for all clients.

Today, we’re announcing that Modern Authentication will soon be enabled for the Windows Outlook client and Skype for Business client in all managed (non-federated) tenants that were created before to August 1, 2017. Those tenants already have Modern Authentication enabled for Outlook mobile, Outlook for Mac and Outlook on the Web, so there are no changes to any of those clients.

What does it mean to be a ‘managed tenant’?

If you use Password Hash Sync, Pass-Through Authentication, or you create, manage and authenticate your user identities directly in the cloud, your tenant is considered a ‘managed tenant’ – and this change affects you.

If your still create, manage and authenticate your identities in your on-premises Active Directory, and you use ADFS or some other 3rd party iDP to authenticate your users – your tenant will not be affected by this change.

Will my user experience be different?

This change affects the dialog users will see when requesting their credentials.

They used to see the following prompt (the exact dialog depends upon the OS of the client, but this should be similar enough to help you identify it):

MApost1

Now they will see the following prompt:

MApost2

How does this change authentication?

From the user’s perspective, it’s just a dialog change. From a security perspective, the client is now using OAuth (not Basic Auth) to authenticate.

What’s better about that? Why do I care?

Switching to Modern Authentication (even if it’s used just for username and password) is more secure than using Basic Auth. Modern Authentication is not subject to credential capture and re-use, credentials are not stored on the client device, it ensures users re-authenticate when something about their connection or state changes, and it makes adding MFA simple.

What do I need to do as an Admin?

Nothing. Nothing at all, well except perhaps one thing: help your users understand that this new dialog means their connection to Office 365 is even more secure than it was before. Feel free to take the credit for that; tell them you changed it to increase their security; we don’t mind.

The next thing to do is to start thinking about enabling MFA and Conditional Access, to make those connections even more secure. Here’s a great place to start finding out more.

Speaking of Conditional Access, that leads us to the next thing we wanted to announce: we’re making some changes there too, specifically related to Exchange ActiveSync (EAS).

We’re making a change to ensure that EAS connections will be evaluated against previously unsupported conditions within Conditional Access (CA).

As you might know, many conditions that are available in CA policies have not been supported for EAS. These include country, named locations, sign-in risk, and device platform. Currently, if you include any of these conditions in a policy that targets EAS, that condition is always enforced. For example, a policy to require a compliant device outside of the corporate network would always apply (independent of the user’s location).

The below shows how the admin would enable the client app condition used to target CA policy to EAS clients.

MApost3

The change we have made ensures that CA policy applied to EAS correctly honors previously configured conditions. You may see some cases where EAS may begin to work where it was previously blocked. So, if you have CA policies today that block EAS traffic because a condition is not supported, we advise you inspect and remove any of the unsupported conditions from policy.

For example, suppose you previously configured the following policy: “Block all EAS traffic from French Guyana”. Today all EAS traffic is blocked. If you are relying on a rule like that to block all EAS traffic, you need to re-think your strategy.

With the change we are making, only the EAS traffic from French Guyana will be blocked. We’re sure that you find this behavior more logical, but we wanted to make sure you were aware of the change.

So, it’s worth checking your existing CA policies to make sure you don’t have rules that might be affected by this change.

Other than this, we don’t expect any other change in behavior: EAS clients should still receive quarantine email when they don’t meet the CA policy requirements; otherwise they will get email access just as they do today.

We really do treat the security of our service and the protection of your data as our primary concern.

Please leave any comments or feedback, and thanks for reading!

The Exchange Team

Comments (24)

  1. Is this an aprils fool or is this announcement just be done at an unfortunate date?

    1. Oh it’s for real, just unfortunate timing, but we wanted to get the message out asap.

      1. Greg, how do we not know that your comment isn’t also part of the April Fool’s gag?

  2. Does the EAS change go into effect immediately? Or is it rolling out? What’s the time frame?

    1. It’s slowly rolling out now.

      1. John.me says:

        What indicators will we have to know this change has rolled out to our tenant?

  3. StuBeck says:

    We’ve had a ton of issues with needing to reinstall Office or reconnect users to Azure Ad based on a recent change to modern authentication. What changed in the last six weeks to make this change as seamless as you’re saying it will be?

    1. Did you raise a support incident for the issues? You should if not, we’re not aware of anything in particular that might explain the issues you describe.

    2. Hi StuBeck,

      We saw an issue when we turned on Modern Auth for an older tenant where a very small set of users received a login prompt which was caused by the account logged into Office ProPlus (via the File > Office Account tab). It was only a few users but we just had to remove their creds from Credential Manager and have them log back in. Then the prompts were resolved.

  4. wdlemons says:

    Will on premises mailboxes in hybrid environments be able to take advantage of this?

    1. This doesn’t apply to on-premises mailboxes, only this in Exchange Online.

  5. DannyMurphy says:

    Is it only for Office 365 installs of Outlook or will Outlook 2016 MSI versions also be able to utilise this?

    1. Outlook 2016 MSI/Perpetual supports MA, so it will work for that client too.

  6. Out tenant has approx 30 different domains associated with it. Some of the domains are Managed (Password Hash sync or Cloud Only identities which authenticate directly in the cloud) and others are Federated and authenticate against an on-premise AD using ADFS. So – we have a foot in each camp……how will this change affect us?

    1. If you have multiple domains, some managed, some federated, we’ll treat your tenant as federated. No changes will take place at this time.

  7. DK_ITeam01 says:

    What does this mean for Outlook 2010 clients which while still possibly not supported still work with O365?

    1. There’s no impact to Outlook 2010, as it can’t trigger the Modern Auth flow.

  8. hdnicholas says:

    In order for the update for EAS in Conditional Access does the tenant have to be managed or does this change take affect into a federated environment as well?

    1. The EAS change will happen for all tenants, managed auth or federated.

  9. Jon Hal says:

    How do I opt out, prevent or delay this change from happening? I do not want modern authentication enabled on my tenant.

    1. Jon Hal says:

      We have multi factor authentication enabled and app passwords deployed to about 500 devices (Outlook 2016 and iOS mail). Enabling modern authentication for the tenant is going break all of our devices. I need a way to roll this out gradually without disrupting our users.

  10. Anthonynz says:

    So this means all users will suffer the awful “Use this account everywhere on your device” additional prompt when they log in. Can we supress this and set it to Never?

  11. My tech support rep says that EAS conditional policies that check against device compliance are not supported.

    For example, a policy that blocks was except on compliant devices. Is this true and will this change with this rollout?

Skip to main content