Office 2013 and Modern Auth
Office 2013 and modern auth have a bit of a shaky relationship – once you’re working with Office Pro Plus, or even 2016, the experience is a whole lot smoother. Sadly, Office 2013 feels like it’s a bit of a hit and a miss when trying to nail down authentication errors, especially if you can’t seem to reproduce a consistent experience with either Modern or Basic authentication. Here’s a few things I’ve run into that will hopefully put you in a good place with Office 2013 and allow you to consistently see a modern auth prompt:
#1. Registry updates
In order to enable Modern Auth in Office 2013, you need to add or update the following registry keys:
Without these keys added, you’re dead in the water – you’re only ever going to see basic auth. If you’ve already added these registry keys, maybe even pushed them out via GPO, and you’re still seeing basic auth on some computers, it’s time to move on to number two.
#2. Office updates
So here’s the kicker – for modern auth to be supported in Office 2013, you need to be patched up to the March 2015 update release. I know, I know… you’re a WSUS/SCCM/Intune/Patch Manager wiz, and all your Office clients are 100% patched up to the latest version. Well, we both know that’s not quite the case, as you’re still reading ;). The reality is, that even when you do your best to make sure that all your systems are patched, and updates are approved on time, there can still be stragglers out there that haven’t been receiving their updates – and sometimes can be YEARS behind!
Here’s what to look for: Office 2013 SP1 installs at Version 15.0.4569.1506 (SP1). This is what you’d call a vanilla install – no patches applied yet.
From within the Office client itself, you’ll see the versions reported from Help – About.
After first round of updates: not there yet
After second round of updates: modern auth will work now
Final round of updates: why wouldn’t you patch all the way?
To get to the March 2015 version, you need to be at version 15.0.4701.1002 – I keep on going and patch all the way to current patch levels, because that’s just the kinda guy I am. I know there are valid reasons to stop at certain patch levels sometimes, so just make sure you at least get to the version listed here so that your modern auth will work properly.
#3. Know your auth prompts
When you’re testing or troubleshooting, it’s important to understand what kind of authentication prompt you’re actually getting – this is especially critical if you’re enabling MFA on your user accounts. If they’re not getting a modern auth prompt, they won’t get prompted for MFA, their username & password won’t work, and in fact, the only thing that WILL work is an app password… yuck!
Anytime you see this type of authentication window, this means you’re only using basic authentication:
As soon as you see this logon prompt, you can know that MFA will fail, and that app passwords (or disabling MFA on that user account) is the only way to keep on signing in like this. If you’re getting a basic auth prompt, check that your reg keys are applied properly, and Office is fully patched.
This is the authentication window you want to see – notice that it’s a web form, it’ll have your logo if you’ve configured it, and you will know properly see MFA or whatever other conditional access policies you might have put in place:
And now, finally… Outlook will connect and set up your user’s profile and email will begin to flow yet again.
Hope this helps you to nail down your Office 2013 and modern auth experience, and helps you to ensure a consistent response, ever single time!