Enabling "Modern Auth" for Outlook¶
Note
This is a new feature available from version 7.2.0 onwards. To use it, it must configured on the server.
Server configuration¶
Most of the Modern Auth configuration is preconfigured. There are only a few settings, that need to be adjusted.
- First the
config.yamlfile needs to have the OpenID Connect Issuer be set to the domain of the server. - Now the authentication mode needs to be switched from
basictomodern.
An example of this is shown below:
e4a:
common:
oidc:
iss: "https://exchange4all.local"
authentication:
mode: modern
Lastly, the configuration file stored at /storage/lico/identifier-registration.yaml, needs to be updated. This file is the identifier registration for LibreGraph Lico. It should be updated as follows:
# OpenID Connect client registry.
clients:
- id: d3590ed6-52b3-4102-aeff-aad2292ab01c
name: Outlook
trusted: true
application_type: native
implicit_scopes:
- openid
- profile
- offline_access
- E4A.Outlook.Default
redirect_uris:
- ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c
After the configuration file has been updated, the container needs to be restarted.
Client configuration¶
The client can be configured, following the documentation created by Microsoft.
We have provided quick summaries, summarizing the requirements and registry changes.
Requirements¶
To use Modern Auth, Microsoft requires that Windows 11 OS 22H2 with the March 14, 2023 update or later is installed. Accordingly, the supported Outlook versions are:
Outlook in Microsoft 365 Apps¶
| Channel | Supported | Version | Build (or later) |
|---|---|---|---|
| Insider Channel | Yes | 2304 | 16327.20200 |
| Current Channel | Yes | 2304 | 16327.20214 |
| Monthly Enterprise Channel | Yes | 2304 | 16327.20324 |
| Semi-Annual Enterprise Channel (Preview) | Yes | 2402 | 17328.20184 |
| Semi-Annual Enterprise Channel | Yes | 2402 | 17328.20452 |
Outlook for Windows (volume license & retail)¶
| Version | Supported | Version | Build (or later) |
|---|---|---|---|
| Outlook 2016 (Any version) | No | N/A | N/A |
| Outlook 2019 (Any version) | No | N/A | N/A |
| Outlook 2021 (Retail) | Yes | 2304 | 16327.20214 |
| Outlook 2021 (Volume license) | No | N/A | N/A |
| Outlook 2024 (Retail) | Yes | 2410 | 18129.20158 |
| Outlook 2024 (Volume) | Yes | 2408 | 17932.20162 |
Please refer to the Microsoft documentation for the most up-to-date information.
Registry changes¶
Note
For ease of deployment, registry changes can be configured using Group Policies. If Group Policies aren't used by your organization, users are required to configure their registries manually or via a script.
An example .reg script has been provided below. Please ensure that you have replaced exchange4all.local with the domain of the organisations before importing the file.
Windows Registry Editor Version 5.00
; Replace 'exchange4all.local' with the customer's ADFS domain
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://exchange4all.local/]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://exchange4all.local]
; Enable Modern Auth via ADFS in Outlook on Windows
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity]
"EnableExchangeOnPremModernAuth"=dword:00000001
To apply these registry changes, please follow the steps below:
- Copy the snippet into a text file, and save it as a
.reg. Alternatively you can download and update the script before saving it. - Run the file, to apply the changes to the Windows registry.