Link to home
Start Free TrialLog in
Avatar of K B
K BFlag for United States of America

asked on

Modern Authentication: Are users prompted for a password when their mailbox is migrated from On-Premises to Office 365?

I know that users are spared from entering a password when they are on-site and on a domain-joined computer when...

1. Their password changes
2. A new Outlook profile has been created for them (unless password has been changed and the user has not logged out and back in)

...but what about when a user is migrated to Exchange Online from On-Premises Exchange.  

I know they will be prompted with, "Microsoft Exchange administrator has made a change that requires you quit and restart Outlook" but will they have to enter a password as they did prior to Modern Authentication?

Thank you
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

If you use ADFS or windows 10 and have configured device registration then no. SSO kicks in and handles this. But if you only have password sync and and on older OS then a password will be required.
Avatar of K B

ASKER

- We do use AD FS
- Primarily Windows 7, Outlook 2013/2016
- We have not implemented Conditional Access (i think this is what you mean by device registration, right?)
Avatar of K B

ASKER

sorry I am re-reading your statement.. so if we just use AD FS and not Windows 10 and not Device Registration, users should not be prompted for a password when their mailbox has just been migrated to 365?
If ADFS is configured properly, correct.
Avatar of K B

ASKER

I am simulating in my lab, my clients setup and I can only guess that the reason that is not the case for me is:

They have Exchange 2010 without OutlookAnywhere disabled (RPC/TCP connections).

Would it seem reasonable that that would be why my test migrations are being prompted for a password?

Have you seen a user with a migrated mailbox not be prompted for a password?
Avatar of K B

ASKER

EDIT:  They have Exchange 2010 with OutlookAnywhere disabled (RPC/TCP connections).

Edit: sorry really long day.. they do NOT have OutlookAnywhere.
ASKER CERTIFIED SOLUTION
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of K B

ASKER

Cliff,

That is great to hear.. Thank you for that..

I believe I followed all steps to the letter as I have implemented AD FS many times.  I have enabled Modern Auth at EXO and at the client level (Outlook 2013 registry keys). AD FS worked flawlessly prior to modern authentication...

Do you know if there is a client requirement for a minimum RPC/HTTP on the on-premises side?

Thanks again.
Not to my knowledge. The auth calls are, as I recall, the  same regardless of MAPI, RCP, RCP over HTTPS, or MAPI over HTTPS.
Avatar of K B

ASKER

It is not a scenario I've explored. As I said, it is a lot of moving parts. Almost impossible for an independent expert to test exchange 2007, 2010, 2013, 2016, with outlook 2013, 2016, with ADFS 2.0, 3.0, on windows 7, 8.0, 8.1, 10-1506, 10-1511, 10-1607...using all forms of authentication, and know how it'll all interact. Based on that article, it seems you had an answer already. So there is that.
Avatar of K B

ASKER

Actually I wrote this question after staying up 18 hours testing but had in the back in my mind that I had read that somewhere... but you know how a mind can get "muddy" with no sleep.  So, no I really didn't have my answer yet but I googled a bunch and found it as we were talking and posted it.. Hoping you saw the same thing I did in the article.. I don't actually trust the article and will test with OA turned on too.  So, I didn't mean for it to seem like I was challenging you.  Just looking for some validation.

Honestly, it was invaluable that you told me you have seen a transparent experience.  I look forward to testing in my lab. I thank you very much Cliff!
Avatar of K B

ASKER

Thank you Cliff!