Editor’s note: 5/20/2016:
Office 365 modern authentication has now moved from public preview to general availability. Learn more about application and service support here.
Editor’s note 6/12/2015:
We’ve removed the previous issue with modern authentication and Azure Rights Management Service and we’ve also included the recent availability for Outlook on iOS and Android to show available now. Also as of 6/18 the list of limitations now shows how they are resolved.
Today’s post was written by Paul Andrew, technical product manager for Identity Management on the Office 365 team.
Today we are pleased to announce that Office 2013 client modern authentication features have moved from private preview to public preview. This means the program is easier to join and production support is included for participants. Modern authentication brings Active Directory Authentication Library (ADAL)-based sign in to Office 2013 Windows clients. Previously, this was only available as a private preview for testing. Now modern authentication is available to any customer running the March 2015 or later update for Office 2013. It will continue to be off by default in the client, but can be enabled on Windows machines by participants in the public preview.
Modern authentication for Office 2013 Windows client.
Office 2013 client applications sign in to the Office 365 service to gain access to Exchange Online email, to access files on SharePoint Online, to connect to Skype for Business Online (formerly Lync Online), and to activate the Office client license. This update enables IT administrators to configure new security scenarios for sign in with Office 365.
Here are some scenarios that are enabled, which are described in more detail in the previous post about ADAL-based authentication:
- Multi-factor authentication (MFA) for Office 2013 client applications.
- SAML-based third-party identity provider sign in.
- Smart card and certificate-based authentication.
- Outlook no longer requiring the basic authentication protocol.
There are still some limitations where the public preview does not yet contain all the functionality that we plan to include. For each of these limitations, we have details of what doesn’t work as expected and how to work around it in the TechNet Article, Office 2013 and Office 365 ProPlus modern authentication: Things to know before onboarding. Please review these details before joining the preview.
- AD-FS Client Access Filtering Policies—We’re still working on this.
- Skype for Business (formerly Lync) client is not MFA enabled—We’re still working on this.
- External Sharing in SharePoint Online—Fixed in the service, so you just need the March 2015 product update for Office 365 ProPlus.
- Multiple mismatched tenants connected from Outlook—Fixed in the April 2015 product update for Office 365 ProPlus.
- Smart card as primary sign in needs additional configuration—Fixed in the April 2015 product update for Office 365 ProPlus.
- Use of Azure Rights Management Service—Fixed in the June 2015 product update for Office 365 ProPlus.
The public preview works with all Microsoft identity integration models including the cloud-based identity model, the synchronized identity model, and the federated identity model with AD FS. You can read about these identity models on a previous post here.
Join the program now
The preview involves a change to your Office 365 tenant and a change to each Windows machine that Office 2013 runs on.
To join the public preview program follow these steps:
- Sign up on Microsoft Connect to the public preview here.
- Wait to hear back while your tenant is enabled.
- Apply the registry setting to enable modern authentication on your Windows client machines. Details about these updates are published here.
To exit the public preview program follow these steps:
- Remove the registry setting to disable modern authentication on your Windows client machines. Details about these updates are published here.
- Users can sign in as before with the Microsoft Online Sign-In Assistant.
- You do not need to have modern authentication disabled in your tenant.
The public preview update for Office 2013 clients includes Office 2013 and Office 365 ProPlus. Office 2013 requires the March 2015 update patch that is described here.
For Office 365 administrators, we have documentation on enabling MFA here.
For Office 365 users, we have documentation on using MFA here.
Modern authentication on other platforms
Modern authentication on an iPad.
The following chart shows the availability of other Office client applications with modern authentication (ADAL):
|Office client app||Windows||Mac OS X||Windows Phone||iOS||Android|
|Office clients||Office 2013 public preview is available now. ADAL will also be included in Office 2016.||Office 2016 Mac Preview supports ADAL including Word, Excel, PowerPoint, and OneNote. OneNote was released with ADAL in 2014.||Coming soon||Word, Excel, and PowerPoint are available now.||For Android Phone: Word, Excel, and PowerPoint are available now.For Android Tablet: Word, Excel and PowerPoint are coming soon.|
|Skype for Business (formerly Lync)||Included in Office client.||TBD||Coming soon||Coming soon||Coming soon|
|Outlook||Included in Office client.||Outlook uses ADAL for licensing but not for yet for mailbox access.||Coming soon||Available now||Available now|
|OneDrive for Business||Included in Office client.||OneDrive for Business sync are TBD.||Available now for Windows Phone 8.1.||OneDrive for Business is available now.||OneDrive for Business is available now.|
|Legacy clients||There are no plans for Office 2010 or Office 2007 to support ADAL- based authentication.||There are no plans for Office for Mac 2011 to support ADAL-based authentication.||There are no plans for Office on Windows Phone 7 to support ADAL- based authentication.||There are no plans to enable Outlook Web App (OWA) for iOS with ADAL.||There are no plans to enable OWA for Android with ADAL.|
—Paul Andrew, @pndrw
Frequently asked questions
Q. I applied to have my tenant enabled on the public preview, how will I know when my tenant will be enabled and how long will this take?
A. We expect to turn around requests in two weeks. We are not able to respond to requests that contain invalid data. If you have not heard back after three or more weeks, contact your Microsoft account manager or contact the public preview program owners here.
Q. When will ADAL-based authentication be enabled by default and when will the limitations described above be completed?
A. These updates are planned to be released when testing has determined that they are at the quality and usability level that we require. As such we are not able to provide a specific release date.
Q. I am already in the private preview or the TAP program for this. Do I need to reapply?
A. If your tenant has ADAL enabled then you do not need to reapply. The private preview and TAP did not include support for production use and so many participants used test tenants. We do expect that most of our private preview and TAP participants will want to reapply with additional production tenants. You need to apply for each tenant that you want to get enabled and because of this we expect existing participants will need to complete the survey again.
Q. What is required for to use a third-party identity provider with ADAL-based authentication?
A. The third-party identity provider should be tested and qualified for use with ADAL with the Works with Office 365–Identity program. Please look for ADAL testing in the list of tested identity providers at http://aka.ms/ssoproviders. There is an updated test tool available at testconnectivity.microsoft.com. Click the Client tab and select Install Now. Once the Microsoft Connectivity Analyzer Tool is downloaded and running choose the test called, I can’t set up federation with Office 365, Azure, or other services that use Azure Active Directory.
Q. What Office 2013 Windows clients are included in the update?
A. Word 2013, Excel 2013, PowerPoint 2013, Lync 2013, Outlook 2013, Publisher 2013, Visio 2013, Access 2013, Project 2013 and OneDrive for Business Sync Client.
Q. What is ADAL?
A. ADAL is the Active Directory Authentication Library. Details about ADAL are available here.