Enable modern authentication in Exchange Online

Modern authentication in Exchange Online enables authentication features like multi-factor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0.

When you enable modern authentication in Exchange Online, Outlook 2013 or later clients use modern authentication to log in to Exchange Online mailboxes. For more information, see How modern authentication works for Office client apps.

When you disable modern authentication in Exchange Online, Outlook 2013 or later uses basic authentication to log in to Exchange Online mailboxes. They don't use modern authentication.

Notes:

  • Modern authentication is enabled by default in Exchange Online, Skype for Business Online and SharePoint Online.

  • Enabling or disabling modern authentication in Exchange Online as described in this topic only affects modern authentication connections by Outlook 2013 or later clients.

  • Other email clients that support modern authentication (for example, Outlook Mobile, Outlook for Mac 2016, and Exchange ActiveSync in iOS 11 or later) always use modern authentication to log in to Exchange Online mailboxes, regardless of whether you enable or disable modern authentication for Outlook 2013 or later clients as described in this topic.

  • You should synchronize the state of modern authentication in Exchange Online with Skype for Business Online to prevent multiple log in prompts in Skype for Business clients. For instructions, see Skype for Business Online: Enable your tenant for modern authentication.

Enable or disable modern authentication in Exchange Online for client connections in Outlook 2013 or later

  1. Connect to Exchange Online PowerShell.

  2. Do one of these steps:

    • Run this command to enable modern authentication connections (disable basic authentication connections) to Exchange Online by Outlook 2013 or later clients:

      Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
      
    • Run this command to prevent modern authentication connections (use basic authentication connections) to Exchange Online by Outlook 2013 or later clients:

      Set-OrganizationConfig -OAuth2ClientProfileEnabled $false
      
  3. To verify that the change was successful, run this command:

    Get-OrganizationConfig | Format-Table -Auto Name,OAuth*
    

See also

Using Office 365 modern authentication with Office clients