Misha Hanin  

Office 365, Okta, Office 2013/2016 and Modern Authentication

Note: This blog post outlines guidance on how to allow SSO on End-Users devices operated by Microsoft Windows OS and running Microsoft Office products.

Solution Objectives

As many of you know, one of the most important components in SSO (in regards to office 365 services), when a user uses Office applications is Modern Authentication. Modern Authentication is enabled by default in Office 2016, however, to make Office 2013 (we still see A LOT of companies use Office 2010 and Office 2013) fully compatible with Modern Authentication some additional steps are required.

Of course, cloud identity is very big and important topic. We see a lot of different vendors, like Azure AD, Okta, Onelogin, and etc. providing cloud identity solutions.

Recently we were asked to help one VERY big enterprise (more than 80000 users!) with their cloud identity and SSO challenges. This organisation decided to use Okta.

So, the information included in this section represents the summary of the recommended settings, inside OKTA Admin panel and all required changes on the client side.

Business Objectives

For SSO these are the business requirements:

  • Standardise on a single supported enterprise collaboration solution
  • Easy access to the information (ex: documents) stored at Office 365 without constantly providing user credentials, like: Username & password

Technology Objectives

SSO includes the following technical requirements:

  1. Modern Authentication at Office 365 must be enabled for all required services.
  2. End-users devices should be operated by Microsoft Windows OS (Windows 7, 8, 8.1 or 10).
  3. All users should use Office 2013 or Office 2016 desktop clients
    Note: Microsoft does NOT support Modern Authentication for Office 2010.
  4. Windows and Office 2013/2016 should be up-to-date!
  5. Users UPN has to match a user’s primary email address.

Now, when we are clear with Business and Technology Objectives, let’s see what and how should be configured 🙂

Office 365 Settings

Modern authentication in Office 365 enables authentication features like multi-factor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0.

By default, modern authentication isn’t enabled for all Office 365 products, but it’s possible to enable it.

Enable Modern Authentication in Office 365

  1. Connect to Office 365 PowerShell.
  2. Run the following command in office 365 PowerShell:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
  1. To verify that the change was successful, run the following command in Office 365 PowerShell:
Get-OrganizationConfig | Format-Table -Auto Name,OAuth*

Okta settings and Office 365 Application Configuration

The following screenshots demonstrate the recommended settings in Okta Admin. The Office 365 Application settings also provided:

Note: For demo purposes, demo-highclouder.com domain was used as a primary address. All users have an email address in the following format: “user”@demo-highclouder.com. User’s UPN is matching a primary email address.

Integration with Microsoft Active Directory

Okta Active Directory Agent should be installed on a Windows server, that joined to Active Directory Domain. It’s recommended to install it on at least two servers.

Note: It’s strongly recommended to set Okta username format as: User Principal Name (UPN)

Authenticated Settings

Note: The FQDN of OKTAIWAWEBAPP server must be defined in Private DNS. In this example, it’s OktaIWAWebApp.demo-highclouder.com.

Note: It’s important to defined IPs for which SSO should be applied.

Office 365 Application Settings

Note: A user that defined as an Admin Username/Password should have appropriate permissions at Microsoft Office 365 environment! In this example, the admin username is: [email protected]

And now we are coming to one VERY important setting!

End-Users Settings (OS, IE and Office 2013)

Office 2013 Modern Authentication using the Active Directory Authentication Library (ADAL).  For Modern Authentication to function the following component versions should be greater than 15.0.4625.1000:

  • C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL
  • C:\Program Files\Common Files\Microsoft Shared\OFFICE15\Csi.dll
  • C:\Program Files\Microsoft Office\Office15\GROOVE.EXE
  • C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE

And this dll should be greater than 1.0.1933.710:

  • C:\Program Files\Common Files\Microsoft Shared\OFFICE15\ADAL.DLL

To achieve the necessary version levels, the following updates should be installed:

  • https://support.microsoft.com/en-us/kb/3085480 which takes MSO.DLL to 15.0.4753.1001
  • https://support.microsoft.com/en-us/kb/3085504 which takes CSI.DLL to 15.0.4753.1000
  • https://support.microsoft.com/en-us/kb/3085509 which takes GROOVE.EXE to 15.0.4763.1000
  • https://support.microsoft.com/en-us/kb/3085495 which takes OUTLOOK.EXE to 15.0.4753.1002
  • https://support.microsoft.com/en-us/kb/3055000 which takes ADAL.DLL to 1.0.2016.624

Enable Modern Authentication for Office 2013

To enable modern authentication for any Windows devices that have Office 2013 installed, it’s needed to set specific registry keys.

IMPORTANTModern authentication is already enabled for Office 2016 clients, you do not need to set registry keys for Office 2016.

To enable modern authentication for any devices running Windows (for example on laptops and tablets), that have Microsoft Office 2013 installed, it’s needed to set the following registry keys:

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1

Add URLs to Local Intranet Zone

Internet Explorer Internet Options should be configured as follows (if IE is not default system browser, different settings must be set:

Note: Instead of http://oktaiwawebapp.demo-highclouder.com and https://highclouder.okta.com use URLs that right to your organisation.

Enable Integrated Windows Authentication

Note: Please be sure that “Enable Integrated Windows Authentication” is selected!

Let’s check what we’ve configured so far :). Let’s see how it works!

If everything was configured right, when user will try to use resources stored at Office 365 (ex: Word document stored in OneDrive for Business), the following pop-up window should arrive:

A user will be required to provide his email address (be sure that user’s UPN is matching a primary email address) and hit the Next button.

Credentials Manager Verification

To validate that all required Authenticated tokens are stored inside OS, navigate to “Credential Manager” and check the settings under “Generic Credentials”. System should have something similar to the following picture:

Enjoy! I hope you will find this information helpful :). Feel free to contact me if you need any help with this or similar topic!