I have spent the last few weeks testing and trying the various setups with Azure MFA when using modern authentication using Office 2016 ProPlus and thought I would share my experiences.
In general the process is pretty slick and seamless to the end user the main areas of concern is the lack of public information on the matter. There are various discussion articles which are all linked below. However it should be made clear that although Office 2013 and 2016 can support modern authentication Office 365 is NOT fully supported and is still currently in a public preview.
The workloads supported are SharePoint Online, the Office 365 tenant, Intune, Azure AD, Exchange Online (limited support – Also note ActiveSync will still require App Passwords if Azure MFA is enforced). Most mobile applications Outlook/OneDrive/Outlook Groups/RMS Sharing/Intune Company Portal do support MFA however I have found the Delve application currently doesn’t
Unsupported Workloads – Skype for Business Online – However the Skype for Business client does support Modern Authentication, however when using Lync/SfB On premise the client struggles to establish connection as authentication fails to Exchange Online to pull information. However if you want to use SfB Online then you can continue with App Passwords if this is a required workload.
Although you can request via this page to turn on your tenant for Modern Authentication the PowerShell command is actually enabled for admins already which is:
set-organizationconfig -oauth2clientprofileEnabled $true to turn this off run the command again with $false
Now leaving this on does not affect client authentication if you are NOT enforcing Azure MFA this will only come into play when Azure MFA is turned on!
Now to the client Office 2013/16 supports modern authentication, however when using 2013 you need to add the registry key that is detailed here – https://support.office.com/en-gb/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910?ui=en-US&rs=en-GB&ad=GB for Office 2016 you do not need the registry key although if you do put it on the machine it won’t harm the client
To setup Azure MFA the following article discusses how to do this for the users – https://support.office.com/en-US/article/Set-up-multi-factor-authentication-for-Office-365-8f0454b2-f51a-4d9c-bcde-2c48e41621c6
The last item to bear in mind is ADFS Client Access policies you must be running at least ADFS 3.0 however not all policies are supported as discussed here – http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx and you should also ensure you have configured ADFS with the additional rule as discussed here – https://azure.microsoft.com/en-gb/documentation/articles/multi-factor-authentication-get-started-adfs-cloud/
Now the main rule that doesn’t work is “Block all External Access to O365 expect Browser Based apps”, currently this also doesn’t work and if you want to block client access you will need to do this via conditional access policies in Intune or Azure AD – https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-on-premises-setup/?rnd=1 However it should be noted you need to be running your schema level to at least 2012 R2 within your forest and their are a multitude of gotchas described in the article.
So overall this should hopefully give you some further food for thought and clarity on Modern Authentication using Azure MFA!