Skip to content

Enabling "Modern Auth" for Outlook

Note

This is a new (and for the moment optional) feature available from version 7.2.0 onwards. Before users can make use of it, it needs to be configured on the server.

Server configuration

Most of the configuration for Modern Auth is already in place in the container and only a few settings need to be adjusted.

Inside of config.yaml it needs to be ensured that the OpenID Connect Issuer is set to the domain of the container. With the issuer set the authentication mode needs to be switched from basic to modern:

e4a:
  common:
    oidc:
      iss: "https://exchange4all.local"
    authentication:
      mode: modern

The last configuration file that needs updating is the identifier registration of LibreGraph Lico (stored in /storage/lico/identifier-registration.yaml):

# OpenID Connect client registry.
clients:
  - id: d3590ed6-52b3-4102-aeff-aad2292ab01c
    name: Outlook
    trusted: true
    application_type: native
    implicit_scopes:
      - openid
      - profile
      - offline_access
      - E4A.Outlook.Default
    redirect_uris:
      - ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c

After the configuration has been adjusted the container needs to be restarted.

Client configuration

The client side configuration is the exact same as documented by Microsoft. Below is a quick summary.

Requirements

To use Modern Auth Windows 11 OS 22H2 with the March 14, 2023 update or later must be used in combination with the following versions of Outlook:

Outlook in Microsoft 365 Apps

Channel Supported Version Build (or later)
Insider Channel Yes 2304 16327.20200
Current Channel Yes 2304 16327.20214
Monthly Enterprise Channel Yes 2304 16327.20324
Semi-Annual Enterprise Channel (Preview) Yes 2402 17328.20184
Semi-Annual Enterprise Channel Yes 2402 17328.20452

Outlook for Windows (volume license & retail)

Version Supported Version Build (or later)
Outlook 2016 (Any version) No N/A N/A
Outlook 2019 (Any version) No N/A N/A
Outlook 2021 (Retail) Yes 2304 16327.20214
Outlook 2021 (Volume license) No N/A N/A
Outlook 2024 (Retail) Yes 2410 18129.20158
Outlook 2024 (Volume) Yes 2408 17932.20162

You can check the Microsoft documentation for up to date client information.

Registry changes

Note

For ease of deployment, these registry changes can be configured using Group Policy. If Group Policy isn't used by your organization, users have to configure their registry manually (or with a script you provide).

Here is a .reg file script that you can use to import the needed registry keys. Make sure to replace exchange4all.local with the domain of the customer before importing the file.

EnableModernAuth.reg
Windows Registry Editor Version 5.00

; Replace 'exchange4all.local' with the customer's ADFS domain
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://exchange4all.local/]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://exchange4all.local]

; Enable Modern Auth via ADFS in Outlook on Windows
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity]
"EnableExchangeOnPremModernAuth"=dword:00000001

Save this content into a text file with the .reg extension (e.g., EnableModernAuth.reg) and run it to apply these changes to the Windows registry.