Phase out Legacy Authentication - Enable Modern Authentication

Blog series

This is part two of the six-part series on “Phase out Legacy Authentication”.

  1. Preface
  2. Enable Modern Authentication
  3. Create prerequisites
  4. Gain insights
  5. The first 90%
  6. The next 9%
  7. Endgame

Enable Modern Authentication

This step may seem strange, but in old tenants (created before 01.08.2017) Modern Authentication for Exchange Online and Skype for Business Online is not necessarily enabled.

Exchange Online

For Exchange Online, the Exchange Online PowerShell V2 module must be installed to enable Modern Authentication.

Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

Check current configuration

Get-OrganizationConfig | Select OAuth2ClientProfileEnabled

If the value for OAuth2ClientProfileEnabled is not True, Modern Auth still needs to be enabled.

Enable modern auth

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
# Check if change was made
Get-OrganizationConfig | Select OAuth2ClientProfileEnabled


Skype for Business Online


Microsoft has removed the Get-CsOAuthConfiguration cmdlet from the Microsoft Teams module. The latest version containing the cmdlet is 4.5.0.

Sadly it is not enough to just use the old version of the module. It will result in the following error message:

Get-CsOAuthConfiguration: This cmdlet is no longer supported, please consult public documentation

Since Skype for Business Online was retired on 31 July 2021 this should not be a problem.

Thanks to @renedelamotte for bringing this to my attention.

Even if Skype is not used in the environment and only Teams is used, Modern Authentication should also be enabled. Teams Room systems otherwise use legacy authentication by default, which makes subsequent analysis more difficult.

In the latest version of the Microsoft Teams PowerShell module, the configuration of Skype for Business Online is also possible. The separate installation of the Skype for Business Online Connector is therefore no longer necessary.

Install-Module -Name MicrosoftTeams -Scope CurrentUser -RequiredVersion 4.5.0

Check current configuration

Import-Module -Name MicrosoftTeams -RequiredVersion 4.5.0
Get-CsOAuthConfiguration | Select-Object ClientAdalAuthOverride

If the value for ClientAdalAuthOverride is not Allowed, Modern Auth must be enabled.

Enable modern auth

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
# Check if change was made
Get-CsOAuthConfiguration | Select-Object ClientAdalAuthOverride


Next step

Now that clients can actually use Modern Authentication, it is important to set the stage to disable Legacy Authentication.