The Outlook app now uses Active Directory Authentication Library (ADAL)-based authentication for Exchange Online mailboxes in Office 365, replacing the previously used basic authentication method. The ADAL-based authentication stack enables Outlook to engage in browser-based authentication with Office 365.
The update, which will be rolling out over the next few days, adds a new Office 365 sign-in tile to the app, which lets a user access the Exchange Online email associated with their Office 365 account.
Screenshot of the new login experience:
With the ADAL based authentication method used by Office apps on both desktop and mobile, users sign in directly to Office 365’s identity provider (Azure Active Directory) to authenticate, rather than providing credentials to Outlook.
Logging in through the new Office 365 tile will allow users to authenticate through Office 365’s identity provider directly, rather than storing their log-in credentials in the Outlook app. Once someone has logged in using that system, Office 365 will pass the app a token that it can use to access the email account going forward without access to a user’s password.
Using this login system, powered by Microsoft’s Active Directory Authentication Library, provides users and IT administrators with a number of security benefits, including full support for multi-factor authentication when they sign in. The Outlook application will also never save a user’s Office 365 password, because the login process is handled directly by the service’s identity provider. Users and administrators can also revoke the token the app has been given in the event a device is lost or stolen, which will prevent unauthorized access to the data without requiring a password change.
Office 365 users who already use the app through its Exchange sign-in option will be prompted over the coming days to change to the new Office 365 method, so they can reap the added security benefits.
The security upgrade sets the stage for future updates that will provide enterprise IT administrators with greater control over how people can use data from their company email accounts. Later this year, Microsoft will roll out an update providing added security features like the ability to restrict users’ ability to copy and paste text from their email.
Source: Blogpost from Microsoft