In order for Office desktop clients, such as Outlook, Skype for Business, to support MFA via federated authentication, your Office 365 tenant needs to be configured to support modern authentication. 

However, not all Office desktop clients support modern authentication. Generally speaking, Office 2013 and later desktop clients (including Outlook and Skype for Business) support modern authentication. Check the link below for the list of Office clients that support modern authentication:

https://social.technet.microsoft.com/wiki/contents/articles/32211.modern-authentication-behavior-across-office-2013-and-office-2016.aspx

Enable Exchange Online for modern authentication

  1. Connect to Exchange Online PowerShell as shown below

    1. On your local computer, open Windows PowerShell and run the following command.

      $UserCredential = Get-Credential
      

      In the Windows PowerShell Credential Request dialog box, type your work or school account and password, and then click OK.


    2. Run the following command.

      $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection


    3. Run the following command.

      Import-PSSession $Session

  2. Run the following command in Exchange Online PowerShell:

    Set-OrganizationConfig -OAuth2ClientProfileEnabled $true


  3. To verify that the change was successful, run the following command in Exchange Online PowerShell:

    Get-OrganizationConfig | Format-Table -Auto Name,OAuth*

Enable Skype for Business Online for modern authentication

  1. Connect to Skype for Business Online using remote PowerShell as shown below

    1. If you have not installed Skype for Business PowerShell Module, click the link to install it on your PC.
    2. Open Windows PowerShell as an administrator (use Run as administrator) on any machine which has Internet connection.

    3. Run the command below, and enter your Office 365 admin account credentials.

      $credential = Get-Credential

    4. Run the script below to import the Skype for Business PowerShell Module:

      Import-Module SkypeOnlineConnector


    5. Run the command below to create a new session

      $session = New-CsOnlineSession -Credential $credential -Verbose


    6. Finally, import the new session into the Windows PowerShell console. 

      Import-PSSession $session

  2. Run the following command to enable modern authentication:
    Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

  3. Verify that the change was successful by running the following:
    Get-CsOAuthConfiguration


    Note: to disable modern authentication, run command: Set-CsOAuthConfiguration -ClientAdalAuthOverride NoOverride

Enhanced Clients

Those client applications that do not support modern authentication are called Enhanced Clients. You will not be able to protect Enhanced Clients with MFA, unfortunately.

In order to allow users to continue using Enhanced Client applications, you will need to bind an Enhanced Client logon procedure to the Office 365 application in your DualShield server. Thereafter, users using Enhanced Client applications will continue to be authenticated by their username and password only. Check the details in Logon Procedures for Office 365 MFA

  • No labels