How modern authentication works for Office 2013 and Office 2016 client apps

Read this article to learn how Office 2013 and Office 2016 client apps use modern authentication features based on the authentication configuration on the Office 365 tenant for Exchange Online, SharePoint Online, and Skype for Business Online.

Availability of modern authentication for Office 365 services

For the Office 365 services, the default state of modern authentication is:

Sign-in behavior of Office client apps

Office 2013 client apps support legacy authentication by default. Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication. In order for these clients to use modern authentication features, the Windows client has have registry keys set. For instructions, see Enable Modern Authentication for Office 2013 on Windows devices.

Read How to use Modern Authentication (ADAL) with Skype for Business to learn about how it works with Skype for Business.

Office 2016 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.

Click the links below to see how Office 2013 and Office 2016 client authentication works with the Office 365 services depending on whether or not modern authentication is turned on.

Exchange Online

The following table describes the authentication behavior for Office 2013 or Office 2016 client apps when they connect to Exchange Online with or without modern authentication.

Office client app version

Registry key present?

Modern authentication on?

Authentication behavior with modern authentication turned on for the tenant

Authentication behavior with modern authentication turned off for the tenant (default)

Office 2016

No, or EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.

Office 2016

Yes, EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.

Office 2016

Yes, EnableADAL=0

No

Basic authentication

Basic authentication

Office 2013

No

No

Basic authentication

Basic authentication

Office 2013

Yes, EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.

Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.

SharePoint Online

The following table describes the authentication behavior for Office 2013 or Office 2016 client apps when they connect to SharePoint Online with or without modern authentication.

Office client app version

Registry key present?

Modern authentication on?

Authentication behavior with modern authentication turned on for the tenant (default)

Authentication behavior with modern authentication turned off for the tenant

Office 2016

No, or EnableADAL = 1

Yes

Modern authentication only.

Failure to connect.

Office 2016

Yes, EnableADAL = 1

Yes

Modern authentication only.

Failure to connect.

Office 2016

Yes, EnableADAL = 0

No

Microsoft Online Sign-in Assistant only.

Microsoft Online Sign-in Assistant only.

Office 2013

No

No

Microsoft Online Sign-in Assistant only.

Microsoft Online Sign-in Assistant only.

Office 2013

Yes, EnableADAL = 1

Yes

Modern authentication only.

Failure to connect.

Skype for Business Online

The following table describes the authentication behavior for Office 2013 or Office 2016 client apps when they connect to Skype for Business Online with or without modern authentication.

Office client app version

Registry key present?

Modern authentication on?

Authentication behavior with modern authentication turned on for the tenant

Authentication behavior with modern authentication turned off for the tenant (default)

Office 2016

No, or EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.

Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.

Office 2016

Yes, EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.

Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.

Office 2016

Yes, EnableADAL = 0

No

Microsoft Online Sign-in Assistant only.

Microsoft Online Sign-in Assistant only.

Office 2013

No

No

Microsoft Online Sign-in Assistant only.

Microsoft Online Sign-in Assistant only.

Office 2013

Yes, EnableADAL = 1

Yes

Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.

Microsoft Online Sign-in Assistant only.

See Also

Using Office 365 modern authentication with Office clients

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×