Enable Microsoft 365 Modern Authentication

Enable Microsoft 365 Modern Authentication

Reading time 2 Minutes

Unify authentication

The outdated basic authentication is being replaced by modern authentication.

Modern authentication is based on OAuth and comes with multifactor authentication.

Modern authentication is also a prerequisite for the conditional access. This can be used to set the conditions under which a user with a defined client can access the 0365 services.

Basic authentication

When using basic authentication, the user name and password are transmitted via HTTP for each request and sent to other services. This method is susceptible to brute force attacks.

Modern authentication

The modern authentication method is based on OAuth 2.0 and is token-based. It relies on the Active Directory Authentication Library (ADAL). OAuth 2.0 is used as the connection protocol and ADAL for authentication.

When using token-based authentication, the constant entry of user names and passwords is dispensed with. As soon as a user has received the token, he can access a specific resource for a specific time.

In the administration center you activate the modern authentication at this point.

O365 Modern Authentication Admin Center

Switch on the modern authentication for Exchange Online via Powershell

# Establish and terminate Connect to Exchange Online
Import module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName “ndsedv@joernwalter.onmicrosoft.com”
Disconnect-ExchangeOnline -Confirm: $ false

# Check whether the modern authentication for Exchange Online is switched on
(Get-OrganizationConfig) .OAuth2ClientProfileEnabled
Get-OrganizationConfig | Format-Table Name, OAuth * -Auto

# Activate modern authentication for Exchange Online
Set-OrganizationConfig -OAuth2ClientProfileEnabled: $ true

# Switch off modern authentication for Exchange Online
Set-OrganizationConfig -OAuth2ClientProfileEnabled: $ false

Activate modern authentication for Skype for Business via Powershell

# Download Skype Powershell modules
https://download.microsoft.com/download/1/9/F/19F59998-D298-49F1-90FC-D916739A5C1F/SkypeOnlinePowerShell.exe

# Switch on modern authentication for Skype for Business
Import-Module SkypeOnlineConnector
$ skypeSession = New-CsOnlineSession
Import-PSSession $ skypeSession
Get-CsOAuthConfiguration
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
Remove-PSSession $ skypeSession

Check modern authentication for Sharepoint and disable legacy authentication

# Activate modern authentication for Sharepoint
Connect-SPOService -Url https://joernwalter-admin.sharepoint.com -credential ndsedv@joernwalter.onmicrosoft.com
Get-SPOTenant
Set-SPOTenant –LegacyAuthProtocolsEnabled $ false
Set-SPOTenant -OfficeClientADALDisabled $ false

Force modern authentication for Outlook 2013/2016/2019/365

# Is active by default for Outlook 2016/2019/365 but you can also force it
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Exchange] “AlwaysUseMSOAuthForAutoDiscover” = dword: 00000001

# For Outlook 2013 the following entry has to be added
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Office \ 15.0 \ Common \ Identity] “Version” = dword: 00000001
“EnableADAL” = dword: 00000001

optional:

If someone receives the following message when importing a module, then this can be done with the parameter Import-Module -DisableNameChecking be prevented.

WARNING: The names of some imported commands from the module 'todo' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.