Modern Authentication Part 2

We will go through how modern authentication works when a user is trying to use Outlook client with modern authentication to connect to his mailbox in Exchange Online.

  • Outlook user is trying to connect to a service which is Exchange Online [EXO].
  • EXO will tell me go and get credentials [401 redirect] to Azure AD
  • I put my UPN, and Azure AD says “Hey you are federated, go to Aramex STS [302: go to on premise STS]
  • Now, I go my ADFS server, authentication, and then I will get SAML token, then I will send that SAML token to Azure AD.
  • Azure AD then will give me:
    • Refresh Token [I will cache this token in credential manager]
    • Access Token (Bearer) [ will use this access token to send it to Exchange Online]
  • Exchange Online will take my access token and let me in.

 

User gets Access Token and Refresh Token from Azure AD

Full connectivity in modern authentication

If we use Fiddler to see what is happening, we can see that the Authorization is Bearer, and of course if you open Outlook Connection you will see that the Authn is now Bearer* instead of Clear*.

When I need to re-authenticate?

Since EXO is authenticating me using my access token (not refresh token) and that access token is short lived (an hour), then I may need to re-authenticate as soon as my access token is expired.

Now instead of doing all the previous authentication workflow, and since I already have a valid refresh token that is not expired yet, I will use that refresh token to authenticate to Azure AD and get a new access token without the need to get back to my ADFS [STS] and authenticate there.

  • Outlook will contact EXO and present the expired access token.
  • EXO will do 401 access token invalid and ask for new access token.
  • Outlook will check if the machine has valid refresh token.
  • If found, it will pick up that refresh token, talk to Azure AD, authenticate using that refresh token, and then get a new valid access token that can be sent to EXO.

Troubleshoot Modern Authentication

  • First of all make sure you are using Office 2016.
  • Make sure you have the latest patches.
  • Use fiddler to inspect traffic [advance troubleshooting]
  • Use Office Configuration Analyzer Tool http://aka.ms/offcat.

Bonus Tool:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s