In this Ask the Admin, I’ll show you how to enable Modern Authentication in Exchange Online so that two-factor authentication (2FA) enabled users in Office 365 can access Exchange Online using Outlook 2013 or later.
If you’ve been following my article series on multi-factor authentication, you’ll know that Microsoft has been working hard to make deploying 2FA easier. The Microsoft Authenticator app allows mobile devices to be used like smartcards, acting as a second factor in the authentication process, and uses push notifications so that users don’t have to type codes to confirm that they’re in possession of the device.
Office 2013 and later desktop apps and Office mobile apps all support 2FA out-of-the-box, and this support is known as Modern Authentication (MA). SharePoint Online has support for MA enabled by default, but if you want to allow 2FA-enabled Office 365 users to connect to Exchange Online using Outlook 2013 or later, you’ll need to enable MA in Exchange Online first.
For more information on 2FA in Office 365, see Enable Multifactor Authentication for Office 365 Users and What is Multifactor Authentication and How Does It Work? on the Petri IT Knowledgebase.
Modern Authentication must be enabled in Exchange Online using PowerShell. And you’ll also need to log in to Exchange Online using an account that isn’t 2FA-enabled. To make a connection to Exchange Online, open a PowerShell prompt or the Integrated Scripting Environment (ISE), and run the following two lines of code:
$UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
The Get-Credential cmdlet will prompt you to enter a username and password. Use an account that has administrative access to Exchange Online. The New-PSSession cmdlet is then used to define a session with Exchange Online.
Next use Import-PSSession to set up the session with Exchange Online.
Now that we’ve successfully connected to Exchange Online, use the Set-OrganizationConfig cmdlet to enable MA:
Now, check that MA has been enabled using the Get-OrganizationConfig cmdlet:
Get-OrganizationConfig | ft name, *OAuth*
You should see that OAuth2ClientProfileEnabled is set to True. Finally, tear down the session by running the Remove-PSSession cmdlet:
In this article, I showed you how to enable Modern Authentication in Exchange Online so that 2FA-enabled Office 365 can use Outlook 2013 or later.