Before we look at how the Outlook authentication works? we need to understand what is Basic Authentication client and Modern Authentication Clients.
Basic Authentication Clients: Clients or applications that is not a browser-based client that access Office 365 services are Basic authentication clients. Outlook 2013 by default is a basic authentication client and few other clients like EWS clients and EAS clients are Basic authentication clients.
Modern Authentication Clients (OAuth): Modern Authentication uses Active Directory Authentication Library (ADAL) based sign-in for Office clients. ADAL based sign-in supports features like MFA, certificate based authentication and smart card authentication. Outlook 2016 by default is a modern authentication office client, where Outlook 2013 requires an Office update and registry settings modified to act like a Modern Authentication client.
Unlike other authentication method, OAuth provides 2 tokens (Access and Refresh tokens) to the client when it successfully authenticates against Azure Active Directory. Access token is a JSON Web Token (JWT), which is valid for 1 hour and a Refresh token valid for 14 days, if it is continuously accessed it will be valid for 90 days.
Now, we will see how the authentication works on both Basic Authentication client and Modern Authentication client.
- Basic Authentication
Below diagram explains the authentication for basic authentication client, let us take an Outlook 2013 client or an EWS / Exchange Active Sync client tries to access an Office 365 Mailbox.
- Outlook client do an Autodiscover lookup and it know it has to connect outlook.office365.com to access Office 365 Mailbox and initiated the connection to Exchange Online by sending the basic authentication credential over SSL.
- Exchange Online sends the details to Azure AD using Proxy Authentication
- Azure AD sends the respective endpoint configured for this type of request which is sts.superhybridcloud.com to Exchange Online
- Exchange Online will go sts.superhybridcloud.com, which is ADFS Proxy or WAP server in DMZ.
- ADFS Proxy or the WAP server proxies the Exchange Online request to ADFS Servers
- Active Directory authenticates the request from ADFS
- Active Directory sends a logon token along with users information as claims
- ADFS server will send the token with claim information to Exchange online
- Exchange Online sends the details with Azure AD
Azure AD returns in to Exchange Online in a state where it can be used to authenticate the client and the client are connected.
- Modern Authentication
Microsoft working on updating all the clients to work like modern authentication, which will use OAuth Authentication. OAuth uses access and refresh tokens to allow access to Office 365 workloads using Azure Active Directory. We will see how it works when we use outlook 2016 to access Exchange Online Mailbox.
- Outlook do an Autodiscover lookup and find the Exchange Online Url as outlook.office365.com. Outlook will try to connect outlook.office365.com
- Exchange Online redirects the Outlook client to Authentication endpoint in Azure AD (login.microsoftonline.com). Outlook client will use ADAL browser control to reach Azure AD.
- Azure AD authentication endpoint will detect the UPN domain is federated and redirect to internal ADFS endpoint.
- ADFS require the outlook client to authenticate.
- Once the authentication completed, AD will send the user claim information to ADFS.
- ADFS server get the user related information as a claim and sent SAML token with claims about the user to Outlook client
- Outlook client present that token to Azure AD and after successful authentication, the client will be provided with the access and refresh token.
- Outlook client sent the access token to Exchange Online on behalf of user and he will connected to Exchange Online.