Enabling "Modern Auth" for Outlook¶
Note
This is a new (and for the moment optional) feature available from version 7.2.0 onwards. Before users can make use of it, it needs to be configured on the server.
Server configuration¶
Most of the configuration for Modern Auth is already in place in the container and only a few settings need to be adjusted.
Inside of config.yaml it needs to be ensured that the OpenID Connect Issuer is set to the domain of the container. With the issuer set the authentication mode needs to be switched from basic to modern:
e4a:
common:
oidc:
iss: "https://exchange4all.local"
authentication:
mode: modern
The last configuration file that needs updating is the identifier registration of LibreGraph Lico (stored in /storage/lico/identifier-registration.yaml):
# OpenID Connect client registry.
clients:
- id: d3590ed6-52b3-4102-aeff-aad2292ab01c
name: Outlook
trusted: true
application_type: native
implicit_scopes:
- openid
- profile
- offline_access
- E4A.Outlook.Default
redirect_uris:
- ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c
After the configuration has been adjusted the container needs to be restarted.
Client configuration¶
The client side configuration is the exact same as documented by Microsoft. Below is a quick summary.
Requirements¶
To use Modern Auth Windows 11 OS 22H2 with the March 14, 2023 update or later must be used in combination with the following versions of Outlook:
Outlook in Microsoft 365 Apps¶
| Channel | Supported | Version | Build (or later) |
|---|---|---|---|
| Insider Channel | Yes | 2304 | 16327.20200 |
| Current Channel | Yes | 2304 | 16327.20214 |
| Monthly Enterprise Channel | Yes | 2304 | 16327.20324 |
| Semi-Annual Enterprise Channel (Preview) | Yes | 2402 | 17328.20184 |
| Semi-Annual Enterprise Channel | Yes | 2402 | 17328.20452 |
Outlook for Windows (volume license & retail)¶
| Version | Supported | Version | Build (or later) |
|---|---|---|---|
| Outlook 2016 (Any version) | No | N/A | N/A |
| Outlook 2019 (Any version) | No | N/A | N/A |
| Outlook 2021 (Retail) | Yes | 2304 | 16327.20214 |
| Outlook 2021 (Volume license) | No | N/A | N/A |
| Outlook 2024 (Retail) | Yes | 2410 | 18129.20158 |
| Outlook 2024 (Volume) | Yes | 2408 | 17932.20162 |
You can check the Microsoft documentation for up to date client information.
Registry changes¶
Note
For ease of deployment, these registry changes can be configured using Group Policy. If Group Policy isn't used by your organization, users have to configure their registry manually (or with a script you provide).
Here is a .reg file script that you can use to import the needed registry keys. Make sure to replace exchange4all.local with the domain of the customer before importing the file.
Windows Registry Editor Version 5.00
; Replace 'exchange4all.local' with the customer's ADFS domain
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://exchange4all.local/]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AAD\AuthTrustedDomains\https://exchange4all.local]
; Enable Modern Auth via ADFS in Outlook on Windows
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity]
"EnableExchangeOnPremModernAuth"=dword:00000001
Save this content into a text file with the .reg extension (e.g., EnableModernAuth.reg) and run it to apply these changes to the Windows registry.