How modern authentication works for Office 2013, Office 2016, and Office 2019 client apps

This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

Read this article to learn how Office 2013, Office 2016, and Office 2019 client apps use modern authentication features based on the authentication configuration on the Microsoft 365 tenant for Exchange Online, SharePoint Online, and Skype for Business Online.

Note

Legacy client apps, such as Office 2010 and Office for Mac 2011, do not support modern authentication and can only be used with basic authentication.

Availability of modern authentication for Microsoft 365 services

For the Microsoft 365 services, the default state of modern authentication is:

Note

For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online.

Sign-in behavior of Office client apps

Office 2013 client apps support legacy authentication by default. Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication. In order for these clients to use modern authentication features, the Windows client must have registry keys set. For instructions, see Enable Modern Authentication for Office 2013 on Windows devices.

Important

The use of basic authentication is being deprecated for Exchange Online mailboxes on Microsoft 365. This means that if Outlook 2013 is not configured to use modern authentication, it loses the ability to connect. Read this article for more information about basic auth deprecation.

To enable modern authentication for any devices running Windows (for example, laptops and tablets), that have Microsoft Office 2013 installed, you need to set the following registry keys. The keys have to be set on each device that you want to enable for modern authentication:

Registry key Type Value
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1
HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover REG_DWORD 1

Read How to use Modern Authentication (ADAL) with Skype for Business to learn about how it works with Skype for Business.

Software requirements

To enable multifactor authentication (MFA) for Office 2013 client apps, you must have the software listed below installed (at the version listed below, or a later version). The process is different depending on your installation type (either MSI-based, or via Click-to-run.)

First, find out if your Office installation is MSI-based or Click-to-run with the steps below.

  1. Start Outlook 2013.
  2. On the File menu, select Office Account.
  3. For Outlook 2013 Click-to-Run installations an Update Options item is displayed. For MSI-based installations, the Update Options item isn't displayed.
    1. The Click-to-run Update Options button tells you 'Updates are automatically downloaded and installed', and your current version.

Click-to-run based installations

For Click-to-run based installations you must have the following software installed at a file version listed below, or a later file version. If your file version isn't equal to, or greater than, the file version listed, update it using the steps below.

File name Install path on your computer File version
MSO.DLL C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\MSO.DLL 15.0.4753.1001
CSI.DLL CSI.DLL C:\Program Files\Microsoft Office 15\root\office15\csi.dll 15.0.4753.1000
Groove.EXE* C:\Program Files\Microsoft Office 15\root\office15\GROOVE.exe 15.0.4763.1000
Outlook.exe C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.exe 15.0.4753.1002
ADAL.DLL C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\ADAL.DLL 1.0.2016.624
Iexplore.exe C:\Program Files\Internet Explorer varies

* If the Groove.EXE component isn't present in your Office installation, it doesn't need to be installed for ADAL to work. However, if it's present, then the build for Groove.EXE listed here is required.

MSI-based installations

For MSI-based installations the following software must be installed at the file version listed below, or a later file version. If your file version isn't equal to, or greater than, the file version listed below, update using the link in the Update KB Article column.

File name Install path on your computer Where to get the update Version
MSO.DLL C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL KB3085480 15.0.4753.1001
CSI.DLL C:\Program Files\Common Files\Microsoft Shared\OFFICE15\Csi.dll KB3172545 15.0.4753.1000
Groove.exe* C:\Program Files\Microsoft Office\Office15\GROOVE.EXE KB4022226 15.0.4763.1000
Outlook.exe C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE KB4484096 15.0.4753.1002
ADAL.DLL C:\Program Files\Common Files\Microsoft Shared\OFFICE15\ADAL.DLL KB3085565 1.0.2016.624
Iexplore.exe C:\Program Files\Internet Explorer MS14-052 Not applicable

* If the Groove.EXE component isn't present in your Office installation, it doesn't need to be installed for ADAL to work. However, if it's present, then the build for Groove.EXE listed here is required.

Office 2016 and Office 2019 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.

Select the links below to see how Office 2013, Office 2016, and Office 2019 client authentication works with the Microsoft 365 services depending on whether or not modern authentication is turned on.

Exchange Online

The following table describes the authentication behavior for Office 2013, Office 2016, and Office 2019 client apps when they connect to Exchange Online with or without modern authentication.

Office client app version Registry key present? Modern authentication on? Authentication behavior with modern authentication turned on for the tenant (default) Authentication behavior with modern authentication turned off for the tenant
Office 2019 No,
AlwaysUseMSOAuthForAutoDiscover = 1
Yes Forces modern authentication on Outlook 2013, 2016, or 2019.
More info
Forces modern authentication within the Outlook client.
Office 2019 No, or EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.
Office 2019 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.
Office 2019 Yes, EnableADAL=0 No Basic authentication Basic authentication
Office 2016 No,
AlwaysUseMSOAuthForAutoDiscover = 1
Yes Forces modern authentication on 2013, 2016, or 2019.
More info
Forces modern authentication within the Outlook client.
Office 2016 No, or EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.
Office 2016 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.
Office 2016 Yes, EnableADAL=0 No Basic authentication Basic authentication
Office 2013 No No Basic authentication Basic authentication
Office 2013 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant isn't enabled.

SharePoint Online

The following table describes the authentication behavior for Office 2013, Office 2016, and Office 2019 client apps when they connect to SharePoint Online with or without modern authentication.

Office client app version Registry key present? Modern authentication on? Authentication behavior with modern authentication turned on for the tenant (default) Authentication behavior with modern authentication turned off for the tenant
Office 2019 No, or EnableADAL = 1 Yes Modern authentication only. Failure to connect.
Office 2019 Yes, EnableADAL = 1 Yes Modern authentication only. Failure to connect.
Office 2019 Yes, EnableADAL = 0 No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2016 No, or EnableADAL = 1 Yes Modern authentication only. Failure to connect.
Office 2016 Yes, EnableADAL = 1 Yes Modern authentication only. Failure to connect.
Office 2016 Yes, EnableADAL = 0 No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 No No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 Yes, EnableADAL = 1 Yes Modern authentication only. Failure to connect.

Skype for Business Online

The following table describes the authentication behavior for Office 2013, Office 2016, and Office 2019 client apps when they connect to Skype for Business Online with or without modern authentication.

Office client app version Registry key present? Modern authentication on? Authentication behavior with modern authentication turned on for the tenant Authentication behavior with modern authentication turned off for the tenant (default)
Office 2019 No, or EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.
Office 2019 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.
Office 2019 Yes, EnableADAL = 0 No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2016 No, or EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.
Office 2016 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled.
Office 2016 Yes, EnableADAL = 0 No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 No No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants aren't enabled. Microsoft Online Sign-in Assistant only.

See also

Multifactor authentication for Microsoft 365

Sign in to Microsoft 365 with multifactor authentication

Microsoft 365 Enterprise overview