Office 2013 and Modern Auth

I’ve been working on a project recently where we’ve been running into some weird issues with Modern Authentication in general, and MFA specifically. It basically boils down to needing to understand two things:

1. Office 2010 does not like Modern Auth at all; and,
   
2. Office 2013 only really likes Modern Auth conditionally.
   

Now, I know what you’re thinking… duh! We already knew that Office 2010 doesn’t support modern auth, and so if you have MFA enabled on your account, you won’t be able to use Outlook 2010. Well, here’s where things get a bit trippy…

This environment had ADFS configured for Single Sign On, and so MFA is configured to skip multi-factor authentication for requests from federated users on my intranet, like so:

However, we were finding that users with MFA enabled were still unable to configure their Outlook profiles, and instead would just get constantly prompted for username and password, and the profile would never fully configure.

It turns out that even if you have MFA excluded for your internal networks, as long as MFA is enabled on a user account, Office 365 will require a modern auth request before it even gets to the place of determining whether or not MFA is required. If you’re using Outlook 2010, the only way to get passed this is to use an app password. Now, app passwords are not the end of the world, however, when you’re looking at using Outlook and Skype together, your users will need to log in to Skype using their AD credentials, but whenever Skype pops up asking for Outlook integration, this needs to be your app password.

Very. Confusing.

So what does this mean for Office 2013? We know that it’s supposed to support modern auth, as long as you have the proper registry keys set up on the workstation. These two keys are required:

[HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0CommonIdentity]

“Version”=dword:00000001

“EnableADAL”=dword:00000001

Along with this one to make sure that Outlook is using OAuth (Modern Auth) for Autodiscover:

[HKEY_CURRENT_USERSoftwareMicrosoftExchange]

“AlwaysUseMSOAuthForAutodiscover”=dword:00000001

More info on these reg keys here:

https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910

However, even with those reg keys applied, we were still having an inconsistent experience in Outlook 2013 for accounts with MFA enabled. Sometimes everything would configure and work properly, and sometimes it’d just prompt for username and password constantly until the account locked out – this would invariably happen because Lync or Skype would be prompting for Outlook credentials, and wouldn’t accept username and password.

It wasn’t until I started looking at the Office 2013 version that I began to see the problem – the Office 2013 clients that were having issues with modern auth were not fully patched up to the required levels. The functionality to enable modern auth in Office 2013 didn’t come out until the March 2015 Update Release: https://blogs.technet.microsoft.com/office_sustained_engineering/2015/03/10/march-2015-office-update-release/

So I did some testing, and here’s what I found…

A fresh install of Office 2013 SP1 gives you version 15.0.4569.1506 in Add/Remove Programs. However, the installed version listed in the Control Panel only gives you the base version, and it doesn’t show you what your update level is at.

The only way to find this info is to go into an Office program, click File, then Account, then About Word/Outlook etc. You can see here that the base install of Office 2013 SP1 gives you .1504 with an MSO of 1506. The MSO number is the one you want to watch out for, as that’ll tell you the latest patch number installed.

Testing the base install of Office 2013, all you get is a basic auth prompt – even though the reg keys have been applied. In essence, Outlook 2013 is acting the same as 2010 in this regard – basic auth only.

Fully Patched (as of October 2017):

You can see the difference immediately when you try to configure an Outlook profile – prior to being patched, Outlook would send a basic auth request which wouldn’t work. Once you have your patches and reg keys in place, Outlook pops up a modern auth prompt:

And then MFA works as expected (or doesn’t show up at all if you have internal networks excluded).

I found it took several rounds of updates before Office 2013 was fully patched – the first round of updates took me right before the March update that I needed (15.0.4701.1002):

After second round of updates:

This is close enough if you just want to get Modern Auth working properly – I always like to see Office and Windows fully patched… who knows what else has gotten fixed along the way that might come around and bite you next? Patch!

After the final round of updates:

And finally… good to go!

So the moral of the story is this – when in doubt, make sure that you’re up to date! Don’t just assume that WSUS has been doing its job, or users haven’t been ignoring their updates for years – more often than not, there’s gaps that can cause weird issues like this to crop up.

Hope this helps!