How modern authentication works for Office 2013 and Office 2016 client apps
Read this article to learn how Office 2013 and Office 2016 client apps use modern authentication features based on the authentication configuration on the Office 365 tenant for Exchange Online, SharePoint Online, and Skype for Business Online.
Availability of modern authentication for Office 365 services
For the Office 365 services, the default state of modern authentication is:
Turned on for Exchange Online by default. See Enable or disable modern authentication in Exchange Online to turn it off or on.
Turned on for SharePoint Online by default.
Turned on for Skype for Business Online by default. See Enable Skype for Business Online for modern authentication to turn it off or on.
Sign-in behavior of Office client apps
Office 2013 client apps support legacy authentication by default. Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication. In order for these clients to use modern authentication features, the Windows client has have registry keys set. For instructions, see Enable Modern Authentication for Office 2013 on Windows devices.
Read How to use Modern Authentication (ADAL) with Skype for Business to learn about how it works with Skype for Business.
Office 2016 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.
Click the links below to see how Office 2013 and Office 2016 client authentication works with the Office 365 services depending on whether or not modern authentication is turned on.
Exchange Online
The following table describes the authentication behavior for Office 2013 or Office 2016 client apps when they connect to Exchange Online with or without modern authentication.
Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant (default) | Authentication behavior with modern authentication turned off for the tenant |
---|---|---|---|---|
Office 2016 |
No, or EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
Office 2016 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
Office 2016 |
Yes, EnableADAL=0 |
No |
Basic authentication |
Basic authentication |
Office 2013 |
No |
No |
Basic authentication |
Basic authentication |
Office 2013 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. |
SharePoint Online
The following table describes the authentication behavior for Office 2013 or Office 2016 client apps when they connect to SharePoint Online with or without modern authentication.
Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant (default) | Authentication behavior with modern authentication turned off for the tenant |
---|---|---|---|---|
Office 2016 |
No, or EnableADAL = 1 |
Yes |
Modern authentication only. |
Failure to connect. |
Office 2016 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication only. |
Failure to connect. |
Office 2016 |
Yes, EnableADAL = 0 |
No |
Microsoft Online Sign-in Assistant only. |
Microsoft Online Sign-in Assistant only. |
Office 2013 |
No |
No |
Microsoft Online Sign-in Assistant only. |
Microsoft Online Sign-in Assistant only. |
Office 2013 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication only. |
Failure to connect. |
Skype for Business Online
The following table describes the authentication behavior for Office 2013 or Office 2016 client apps when they connect to Skype for Business Online with or without modern authentication.
Office client app version | Registry key present? | Modern authentication on? | Authentication behavior with modern authentication turned on for the tenant | Authentication behavior with modern authentication turned off for the tenant (default) |
---|---|---|---|---|
Office 2016 |
No, or EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
Office 2016 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
Office 2016 |
Yes, EnableADAL = 0 |
No |
Microsoft Online Sign-in Assistant only. |
Microsoft Online Sign-in Assistant only. |
Office 2013 |
No |
No |
Microsoft Online Sign-in Assistant only. |
Microsoft Online Sign-in Assistant only. |
Office 2013 |
Yes, EnableADAL = 1 |
Yes |
Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. |
Microsoft Online Sign-in Assistant only. |
See also
Enable Modern Authentication for Office 2013 on Windows devices
Plan for multi-factor authentication for Office 365 Deployments (for Office 365 administrators)
Sign in to Office 365 with 2-step verification (for end users)
Feedback
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.
Loading feedback...