Saturday, November 15, 2014

Office 365 ProPlus Adding Passive Authentication

There has been a change I have been waiting on that. On the Office 365 Public roadmap it is called “Office 2013 client update to support passive authentication using SAML” -

What is this announcement?

Office 365 ProPlus / Office 2013 will be getting a modification to support 2FA authentication scenarios. This is enabled through the Active Direct Authentication Library (ADAL).

Why is it so important?

There are many customers who require 2FA to authenticate to the Office 365 service. For Office, the Outlook rich client typically comes up a lot because customers want to ensure that users using Outlook use 2FA to receive email. With Outlook today there are scenarios that organizations can implement to ensure there is 2FA with Outlook, however the better long-term solution is to have Office modified to support 2FA directly.

Specifically Office 2013 is changing such that is can support “passive authentication” scenarios in the same way a browser does.

This will enable is a cleaner solution with Office 365 MFA. More importantly it allows for additional support scenarios for organizations who use smart cards (PIV, CaC, etc.) to authenticate to the Office 365 service using the Office 2013 rich client.

What are some facts you should know?

Private Preview Release – Office 365 customers who are in the private preview program can have access to this.

ADAL Authentication – As I mentioned earlier, Office 2013 will be adopting passive authentication in the same way a browser authenticates. If you have AD FS implemented with Office 365, the user will authenticate through that federated trust relationship with Office 365. If you organization requires a second form factor (2FA) for authentication, the user will be required to provide it. A nice side effect of this is Outlook no longer needs to have direct access to the user’s password. Please read this blog for more details on the authentication process -

What Clients are impacted? - Word 2013, Excel 2013, PowerPoint 2013, Lync 2013, Outlook 2013, Publisher 2013, Visio 2013, Access 2013, Project 2013 and OneDrive for Business Sync Client.

Will this work with AD FS Only? – Please review information about other STS providers: and

Office 2010 Support? – No. This solution is for Office 2013 and Office 365 ProPlus.


New Announcement – Office 2013 update for SAML and 2FA Auth -

Original Announcement -

SAML 2.0 Announcement -

Outlook Connectivity with MAPI over HTTP Announcement -

No comments: