Enabling "modern auth" for Outlook¶
Note
This is a new (and for the moment optional) feature available from version 7.2.0 onwards. Before users can make use of it, it needs to be configured on the server.
Server configuration¶
Most of the configuration for modern auth is already in place in the container and only a few settings need to be changed.
Make changes to the e4a config:
yq eval -i '.e4a.common.authentication.mode = "modern"' /storage/config.yaml
yq eval -i '.e4a.common.oidc.iss = "https://exchange4all.local"' /storage/config.yaml
/opt/exchange4all/config/bin/e4a-config apply
chown -R e4a:e4a /opt/exchange4all/system/config/
sv restart e4a-http
Add entry for Microsoft Outlook to the identifier registration inside the container:
yq eval -i \
'.clients += [{"id": "d3590ed6-52b3-4102-aeff-aad2292ab01c", "name": "Outlook", "trusted": true, "application_type": "native", "implicit_scopes": ["openid", "profile", "offline_access", "E4A.Outlook.Default"], "redirect_uris": ["ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c"]}]' \
/storage/lico/identifier-registration.yaml
sv restart libregraph-lico
Client configuration¶
The client side configuration is the exact same as documented by Microsoft. Below is a quick summary.
Requirements¶
To use Modern Auth Windows 11 OS 22H2 with the March 14, 2023 update or later must be used in combination with the following versions of Outlook:
Outlook in Microsoft 365 Apps:¶
| Channel | Supported | Version | Build (or later) |
|---|---|---|---|
| Insider Channel | Yes | 2304 | 16327.20200 |
| Current Channel | Yes | 2304 | 16327.20214 |
| Monthly Enterprise Channel | Yes | 2304 | 16327.20324 |
| Semi-Annual Enterprise Channel (Preview) | Yes | 2402 | 17328.20184 |
| Semi-Annual Enterprise Channel | Yes | 2402 | 17328.20452 |
Outlook for Windows (volume license & retail):¶
| Version | Supported | Version | Build (or later) |
|---|---|---|---|
| Outlook 2016 (Any version) | No | N/A | N/A |
| Outlook 2019 (Any version) | No | N/A | N/A |
| Outlook 2021 (Retail) | Yes | 2304 | 16327.20214 |
| Outlook 2021 (Volume license) | No | N/A | N/A |
Registry changes¶
Note
For ease of deployment, these registry changes can be configured using Group Policy. If Group Policy isn't used by your organization, users have to configure their registry manually (or with a script you provide).
Here is a .reg file script that you can use to import the needed registry keys. Make sure to replace exchange4all.local with the domain of the customer before importing the file.
Windows Registry Editor Version 5.00
; Replace 'exchange4all.local' with the customer's ADFS domain
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://exchange4all.local/]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://exchange4all.local]
; Enable Modern Auth via ADFS in Outlook on Windows
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity]
"EnableExchangeOnPremModernAuth"=dword:00000001
Save this content into a text file with the .reg extension (e.g., EnableModernAuth.reg) and run it to apply these changes to the Windows registry.