Later this month we will release an update to the Office 2013 Windows client applications that enables new authentication flows, including support for Multi-Factor Authentication (MFA). These new authentication flows are enabled by the Active Directory Authentication Library (ADAL). The update for ADAL based authentication will be disabled by default for all users of Office 2013 Windows clients, and the previous sign in authentication stack based on the Microsoft Online Sign-In Assistant will continue to be used by default. The updated authentication features will be available in private preview starting with the November 2014 update. This blog post talks about the new features that are enabled by the ADAL sign-in authentication stack and when you should consider enabling that stack.
Introduction to ADAL based authentication
The ADAL based authentication stack enables the Office 2013 clients to engage in browser-based authentication (also known as passive authentication) where the user is directed to a web page from the identity provider to authenticate. The above screenshot shows the default web page from Azure Active Directory (Azure AD), which is used by Office 365.
This diagram shows how the updated Office 2013 Windows client applications enables user sign in. The Office 2013 client application uses the ADAL component to facilitate sign in with Azure AD. Azure AD hosts a web page where the user can sign in. The identity provider could be Azure AD or a federated identity provider like Active Directory Federation Services (AD FS). If the user is a federated user, Azure AD redirects the user to the sign in web page hosted by the identity provider of record for the tenant. This identity provider is determined based on the domain as specified in the user’s sign in name. The sign in web page is shown to the user on their device and the user signs in. The identity provider returns a token to Azure AD when the user is successfully signed in. Azure AD returns a JWT token to the Office client application and the client application can use this JWT token with Office 365 services on behalf of the user. There are several benefits of this approach including that the Office client applications never handles the user password, the identity provider can show multiple pages and custom user interface to the user, and customized sign in can be enabled through integration with the identity provider.
Scenarios for ADAL based authentication
This new sign in method enables many new sign in scenarios such as the following:
1. MFA for Office 2013 client applications
MFA is where a user is required to provide a second factor of authentication in addition to their password. Examples of the second factor of authentication include answering a phone call on their mobile device, using a smart card, or providing a verification code from a mobile app. Prior to ADAL based authentication support in the Office 2013 clients, -the applications could only prompt for a username and password, which are then sent to the appropriate identity provider for validation. In these cases, users with MFA enabled would need to use an App Password instead of their normal user passwords. App Passwords are special strings generated when the user configures their MFA options.
With the new ADAL-based authentication enabled Office 2013 client applications, users no longer need to sign in with an App Password. Instead, they can sign in using true multi-factor authentication. The second factor of authentication the user must provide is dependent on the configuration done by their administrator.
2. SAML based identity provider sign in
Prior to ADAL based authentication, the Office 2013 client sign in flow (using the Microsoft Online Sign-In Assistant) required the WS-Trust protocol for users to sign in. Identity providers that use the SAML-P 2.0 protocol often do not also support WS-Trust and this prevented federated users from signing in to their Office 2013 client applications. With the ADAL based authentication flows, users can sign in to Office client applications even when using an identity provider that uses SAML-P 2.0. This enables the following scenarios which were previously not possible with SAML-P 2.0 providers:
- Office 365 ProPlus license activation
- Connecting from Lync and other client applications to Office 365
- Saving files from Word, Excel, PowerPoint, etc. to SharePoint Online
3. Smart card and certificate-based authentication
Customers that have deployed AD FS may elect to configure their users to sign in with smart card/certificate-based authentication. In this configuration, users are not required to enter their user name and password. Instead, they use smart cards (physical or virtual) as the second factor of authentication when signing in.
4. Outlook no longer requires basic authentication
This update to the Office 2013 clients also includes a change in the Outlook client. Prior to ADAL based authentication, Outlook would connect to Exchange Online using Basic auth over HTTPS. This required the username and password to be provided anytime a connection to Exchange Online is made. ADAL based authentication flows negate the need for this type of basic authentication. Instead, the Outlook client now communicates directly with the customer’s Identity Provider and no longer needs to share the user’s password with Exchange Online for user authentication.
Getting the update
The Office 2013 client update that includes the new ADAL based authentication features will be available in the November 2014 update for the Office 365 ProPlus and Office 2013 Windows client software. Updates are automatically available for Office 365 ProPlus clients—users will see a pop-up screen in the product prompting them to apply the new updates. Office 2013 Windows clients are updated using Windows update.
There is no change to the way sign in works in the Office clients after you have the update. By default the new ADAL based authentication stack is disabled. The new authentication features must be enabled on each client machine and also for the Office 365 tenant that you are connecting to. We have details about how to enable these in a preview program, which is being used to ensure that the updated ADAL based authentication model gets out first to early adopters.
About the preview program
ADAL based authentication will be available to customers who are accepted into a private preview program. There are a number of specific scenarios which are not available in the private preview and we will be initially limiting the numbers of new customers who can be accepted into the private preview. Customers engaged with the preview program should not deploy the new flows in their production environment. Customers who are accepted will have to switch back to the older sign in assistant before calling for support. Over the coming months we will be expanding the preview as updates are released.
Before applying to join the private preview, please review the following scenarios that are not included:
- Information Rights Management (IRM). IRM secured emails are not able to be displayed in Outlook when the user is signed in using ADAL. Also IRM secured documents cannot be opened in Word and other Office client applications.
- External Sharing in SharePoint Online. Users enabled for ADAL based authentication will not be able to access secured content hosted in another tenant’s SharePoint Online sites using the “External Sharing” feature.
- Multiple mismatched tenants in Outlook. Users signed in with ADAL based authentication cannot access email in a second tenant from Outlook where the second tenant is not also enabled for ADAL based authentication.
- Authenticated Internet proxies. Outlook may raise a Basic auth prompt when connecting to Exchange Online when enabled for ADAL if there is an authenticated Internet proxy server in the customer environment that is used for accessing the Internet.
- AD FS Client Access Policies. When the Office client uses ADAL based authentication, they will not be filtered correctly using AD FS Client Access Policies.
- Credentials not persisted during enablement. Clients that are enabled for ADAL based authentication may not have their credentials persisted from prior to ADAL based authentication being enabled. In these cases, users will need to add these accounts to their Office 2013 client again one time after ADAL based authentication is enabled. No user created data would be lost during that process.
To apply to join the private preview program, please complete the survey here.
Frequently asked questions
Q. I applied to join the private preview program but have not been accepted. How long will it take?
A. We are limiting the private preview program, but will be expanding the number of customers who are accepted each month. Please be patient and if you have a specific business need, please talk with your Microsoft account manager.
Q. I am in the private preview program but now need one of the excluded scenarios, how to I switch back to the sign in assistant?
A. Please call Microsoft support who can disable the ADAL sign-in for your tenant.
Q. What Office 2013 Windows clients are included in the update?
A. Word 2013, Excel 2013, PowerPoint 2013, Lync 2013, Outlook 2013, Publisher 2013, Visio 2013, Access 2013, Project 2013 and OneDrive for Business Sync Client.
Q. What identity providers can be used for federated identity with the new ADAL clients?
A. AS FS and other identity providers that are qualified in the Works with Office 365—Identity program. Details about the Works with Office 365—Identity program are here.
Q. How do other applications that are not part of Office 2013 connect to Office 365?
A. Other applications can also use ADAL to authenticate to Office 365. Details about ADAL on various platforms is available here.
Q. Will Microsoft be updating Office 2010 Windows clients and older clients to use ADAL?
A. No. You would need to upgrade to the Office 2013 Windows client software.
Q. When will Office 365 apps for iOS and Office for Mac 2011 be updated to use ADAL?
A. In October we updated OneNote for Mac and iOS, Word, Excel, and PowerPoint for iOS and for activations in Outlook for Mac.