Outlook For Mac Enable New Adal For Exchange Online Tenan

Office 2016 for Mac Update & EXO Authentication Problems – Enable EXO Tenant for ADAL. Posted on June 6, 2016 Updated on June 6, 2016. If you are using Office 2016 for Mac and recently started seeing multiple authentication prompts, you may be using a new ADAL (Active Directory Authentication Library) and your Exchange Online tenant may not be enabled, thus causing authentication problems.1. Before setting up 2FA for Office 365 users, make sure you enable Modern Authentication (MA) for Exchange Online if users are accessing Exchange using Outlook 2016 or 2013.

With single sign-on deployments, a connection between an Outlook client and Exchange Online requires authentication with ADFS (Active Directory Federation Services) or third-party ID providers. However, there are scenarios where the authentication process with ADFS or ID providers can be skipped with the help of caches for a certain amount of time after a successful authentication.

We will explain how authentication cache works in two different scenarios; Basic authentication and Modern authentication.

Basic authentication

Exchange Online caches a successful authentication for up to 24 hours. However, these caches may be deleted sooner depending on the server-side spare capacity. It is also difficult to say exactly how long Outlook can use the cache in each case because multiple factors have to be taken into account, but it usually varies from a few hours to 24 hours.

As mentioned before, when the client is allowed to use the cache, the authentication process with ADFS or ID providers is skipped. Therefore, for example, a newly added claim rule in ADFS won't be applied to the client as long as the authentication in ADFS is skipped with the help of caches.

Here is a simplified diagram of single sign-on basic authentication. It focuses on the process where Exchange Online receives the client request, and then requests a security token.

Modern authentication

With modern authentication, tokens are provided to the client side after a successful authentication. While these tokens are valid, the authentication process with ADFS or ID providers can be skipped.
For details on token lifetimes, please refer to the article below.

Title: Session timeouts for Office 365
URL: https://support.office.com/en-us/article/37a5c116-5b07-4f70-8333-5b86fd2c3c40

Modern authentication uses access tokens and refresh tokens to grant uses access to Office 365 resources using Azure Active Directory. An access token is a JSON Web Token provided after a successful authentication and is valid for 1 hour. A refresh token with a longer lifetime is also provided. When access tokens expire, Office clients use a valid refresh token to obtain a new access token. This exchange succeeds if the user’s initial authentication is still valid.

Refresh tokens are valid for 14 days, and with continuous use, they can be valid up to 90 days. After 90 days, users will be asked to re-authenticate.

Refresh tokens can be invalidated by several events such as :
- User’s password has changed since the refresh token was issued.
- An administrator can apply conditional access policies which restrict access to the resource the user is trying to access.

When you install ShareConnect on your Mac, the installation package (including applications and plugins) will be downloaded onto your computer. By leaving the applications installed and the plugin enabled, you can avoid the extended download process if you need to install ShareConnect once more on your Mac. ShareConnect brings your desktop to your fingertips; your files and apps are optimized for your iOS mobile device, so you can remotely access your work in a whole new way. You get instant file access, and your desktop applications feel like they were made for your iPad. After you’ve downloaded ShareConnect on your iOS mobile device, you also must install ShareConnect on your PC (Windows 7 or Windows 8) to use the service. Once you complete the registration on your iOS mobile device, you’ll receive an email verification and instructions on how to download and install ShareConnect on your computer. After you’ve downloaded ShareConnect on your device, you must also install ShareConnect on your PC (Windows 7 or later) or Mac (OS 10.8 or later) to use the service. Once you complete the registration on your device, you’ll receive an email verification and instructions on how to download and install ShareConnect on your computer. ShareConnect Connector - For accounts that have ShareFile connectors enabled, use ShareConnect to access the local files of your computer directly via the ShareFile web app or mobile app. Host Computer Types There are multiple types of host computers that can be set up for remote access.

Session lifetimes with modern authentication are dependent on the validity of access tokens and refresh tokens, and the caches on the Exchange Online side do not affect the duration.

Here's a diagram of modern authentication. This is simplified and the prior authentication process is left out for a comparison purpose. It focuses on the process of the client requesting and receiving the token.

Editor’s note 08/01/2017:
This post was updated to reflect that modern authentication is now on by default for Exchange Online and Skype for Business Online.

Editor’s note 05/18/2016:
This post was updated to reflect that modern authentication has moved from public preview to general availability.

Editor’s note 04/18/2016:
The chart was updated to show the availability of modern authentication for Outlook on Mac OS X.

Editor’s note 12/17/2015:
The chart was updated to show the availability of modern authentication for iOS and Android.

Original post:
Today’s post was written by Paul Andrew, technical product manager for Identity Management on the Office 365 team.

We’re constantly expanding the range of Office 365 products and services that support Modern Authentication. As we continue to enable enhanced identity scenarios, you can keep track of our progress below. Here’s a summary of the updates:

• Modern authentication in the Office 2013 Windows client and in the Office 2016 Windows client are complete and at GA.
• All users of Office 365 modern authentication can now get production support through regular Microsoft support channels.
• Use of Office 365 modern authentication is now on by default for Office 2016.
• As of August 1, 2017, for all newly created Office 365 tenants, use of modern authentication is now on by default for Exchange Online and Skype for Business Online.
• An updated table of client software compatibility is now available.

What is modern authentication?

Modern authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol. The chart below shows the availability of modern authentication across Office applications.

*Not recommended for split domain configuration that includes both Skype for Business Online and Skype for Business Server.

Getting started with modern authentication

To use Office 365 modern authentication follow these steps:

1. If you are using Active Directory Federation Services (ADFS), then first review the caveats with modern authentication published here.
2. Use PowerShell to enable your Exchange Online service for modern authentication as described here and Skype for Business Online as described here. SharePoint Online is already enabled.
3. Enable any Office 2013 users to use modern authentication as described here. Office 2016 and most other Office client software is already enabled as shown in the table below. Details about setting up Office clients is described here.

Also note that to use modern authentication with Office 2013 you will need the March 2015 update patch described here.

For Office 365 administrators, we have documentation on enabling MFA here.

For Office 365 users, we have documentation on using MFA here.

Frequently asked questions

Q. Is modern authentication enabled by default?

A. In order to support the various methods of authentication chosen by organizations around the world, we have production support for these features but only enable by default in certain circumstances. Modern authentication is enabled by default on Office 2016 clients and other clients as described in the article. It is also enabled by default for Exchange Online and Skype for Business Online, for all newly created Office 365 tenants.

Q. I applied to the preview program; do I need to do anything else to use Office 365 modern authentication?

A. If you applied before November 17, 2015, refer to this article to verify that your tenant was enabled. On or after November 17, 2015, use instructions from the article to enable your tenant.

Q. What if I was previously accepted into the TAP, private preview or public preview for modern authentication?

A. No action is needed from you. You can verify your tenant state for Exchange Online by using the instructions here and Skype for Business Online as described here.

Q. How do Office 2013 and Office 2016 use modern authentication?

A. Read aka.ms/ModernAuthClients for more details.

Q. Does Office 365 modern authentication require any specific Office 365 SKUs?

A. No. Any Office 365 SKU can use modern authentication.

Q. What is required for to use a third-party identity provider with ADAL-based authentication?

A. The third-party identity provider should be tested and qualified for use with ADAL with the Azure Active Directory federation compatibility list. There is an updated test tool for testing ADAL with identity providers available at testconnectivity.microsoft.com. Select Install Now towards the bottom of the page. Once the Microsoft Connectivity Analyzer Tool is downloaded and running, select the test called: I can’t set up federation with Office 365, Azure or other services that use Azure Active Directory.

Q. What Office 2013 Windows clients are included in the update?

A. Word 2013, Excel 2013, PowerPoint 2013, Lync 2013, Outlook 2013, Publisher 2013, Visio 2013, Access 2013, Project 2013 and OneDrive for Business Sync Client.

Q. What is ADAL?

A. ADAL is the Active Directory Authentication Library that is used in Office 365 modern authentication. Details about ADAL are available here.

Q. Can I use modern authentication with PowerShell?

A. Azure AD PowerShell has support for modern authentication in public preview as described on the Active Directory Team Blog. SharePoint Online Management Shell has support for modern authentication available from here.