Skip to content

Enabling "Modern Auth" for Outlook

Note

This is a new feature available from version 7.2.0 onwards. To use it, it must configured on the server.

Server configuration

Most of the Modern Auth configuration is preconfigured. There are only a few settings, that need to be adjusted.

  1. First the config.yaml file needs to have the OpenID Connect Issuer be set to the domain of the server.
  2. Now the authentication mode needs to be switched from basic to modern.

An example of this is shown below:

e4a:
  common:
    oidc:
      iss: "https://exchange4all.local"
    authentication:
      mode: modern

Lastly, the configuration file stored at /storage/lico/identifier-registration.yaml, needs to be updated. This file is the identifier registration for LibreGraph Lico. It should be updated as follows:

# OpenID Connect client registry.
clients:
  - id: d3590ed6-52b3-4102-aeff-aad2292ab01c
    name: Outlook
    trusted: true
    application_type: native
    implicit_scopes:
      - openid
      - profile
      - offline_access
      - E4A.Outlook.Default
    redirect_uris:
      - ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c

After the configuration file has been updated, the container needs to be restarted.

Client configuration

The client can be configured, following the documentation created by Microsoft.

We have provided quick summaries, summarizing the requirements and registry changes.

Requirements

To use Modern Auth, Microsoft requires that Windows 11 OS 22H2 with the March 14, 2023 update or later is installed. Accordingly, the supported Outlook versions are:

Outlook in Microsoft 365 Apps

Channel Supported Version Build (or later)
Insider Channel Yes 2304 16327.20200
Current Channel Yes 2304 16327.20214
Monthly Enterprise Channel Yes 2304 16327.20324
Semi-Annual Enterprise Channel (Preview) Yes 2402 17328.20184
Semi-Annual Enterprise Channel Yes 2402 17328.20452

Outlook for Windows (volume license & retail)

Version Supported Version Build (or later)
Outlook 2016 (Any version) No N/A N/A
Outlook 2019 (Any version) No N/A N/A
Outlook 2021 (Retail) Yes 2304 16327.20214
Outlook 2021 (Volume license) No N/A N/A
Outlook 2024 (Retail) Yes 2410 18129.20158
Outlook 2024 (Volume) Yes 2408 17932.20162

Please refer to the Microsoft documentation for the most up-to-date information.

Registry changes

Note

For ease of deployment, registry changes can be configured using Group Policies. If Group Policies aren't used by your organization, users are required to configure their registries manually or via a script.

An example .reg script has been provided below. Please ensure that you have replaced exchange4all.local with the domain of the organisations before importing the file.

EnableModernAuth.reg
Windows Registry Editor Version 5.00

; Replace 'exchange4all.local' with the customer's ADFS domain
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://exchange4all.local/]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://exchange4all.local]

; Enable Modern Auth via ADFS in Outlook on Windows
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity]
"EnableExchangeOnPremModernAuth"=dword:00000001

To apply these registry changes, please follow the steps below:

  1. Copy the snippet into a text file, and save it as a .reg. Alternatively you can download and update the script before saving it.
  2. Run the file, to apply the changes to the Windows registry.