Diferences between basic and modern authentication with SSO on Outlook and O365


On the project where I’m working (staged migration to O365) the costumer asked me about secure authentication for ActiveSync devices (iPhone/iPAD) and  computers (outlook 2010 SP2). I have implemented ADFS 3.0.

If you use Office 2010, the first time you configure Outlook it promt for credentials and it saves this on the Windows Credentials Manager. After, Outlook go to autenticate to Office 365 using Basic Authentication and is Office 365 who go after to ADFS.


With Outlook 2013/2016 Outlook use Windows Authentication. It´s a real SSO because doesn’t save your user credentials on any place and it is who goes to ADFS and not O365. It is using Modern Authentication.


Summarizing: Use Outlook 2013 or 2016 to have a real Single Sign On.

Note 1: Outlook 2013 by default uses Basic Auth, you need to activate Modern Auth.

Note 2: iOS built in email client uses Basic Auth. Install and use Outlook 2016 App.


Modern Authentication:






Basic Authentication:




Configure Outlook Anywhere with GPO for Outlook 2003


In Outlook 2003 adm you can´t unfortunately configure Outlook Anywhere settings and I done it with old school procedure:

Open GPMC and make a new GPO, go to GPP and execute wizard, go to fins a a desktop computer with Outlook well configured, and import from  HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a the following entries:

“00036623”= Enable Exchange Proxy settings and control various check boxes.
“001f6622″=  For specifying Exchange proxy server name
“001f6625″=  For specifying Exchange proxy server name according to principal cert name.
“00036627”= For Authentication – Basic or NTLM

Take care that is posible that users has various Outlook profiles. Then you need to add the same but changing the registry path HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a in subfolder Outlook by other name profile.

Also, you can configure targeting in every configuration path for only apply to users that has an existent profile.

Ah, this gpo is only for user!

Regards and best practices!