Identity, authentication, and authorization in Office 2016
Summary: Describes Office 2016 authentication, sign in types, and how to use registry settings to determine which user identities are offered at user sign in.
Office applications are used for both business and nonbusiness activities. During the day, a person might use Excel to analyze Q2 widget sales numbers, breaking them down by each day. By night, the same individual could switch to crunching World Cup statistics in Excel. Similarly, they might use Word to draft product specifications during work hours and then shift to writing short stories in their leisure time. Office is a versatile tool used by individuals in different roles. To accommodate this, Office 2016 allows users to sign in with two separate identities:
A Microsoft account, which most people use for personal business
An organization ID that is assigned by Microsoft, which most people use when doing work for an organization, such as a business, charity, or school.
The credentials that are used to sign in are recognized as either personal or organizational. That sign-in identity becomes the user's "home realm" and determines which documents the user has access to on SharePoint, OneDrive, or Office 365 Services for a specific session. Each unique sign-in identity is saved in a most-recently used list so that it's easy to switch between identities without leaving the Office experience.
For more convenience, users can choose to mount an online document service to their identities for easy access. For instance, a personal OneDrive can be mounted to an organization identity so that personal documents can be accessed at work or school without ever switching identities. Also, when a user authenticates by using an identity, this authentication is valid for all Office applications, not just the application they signed in to.
The good news is that all of these features just work for users, by default, and out of the box.
Office authentication protocols
In Office, users are authenticated by using Forms-Based Authentication (FBA), Windows Integrated Authentication (WIA), or Passport Server Side Include (SSI) Authentication, also known as "Passport Tweener." In Office 2016, you can still use FBA or WIA, but instead of SSI, we now use the new open standard, token-based Open Authorization 2.0 (OAuth 2.0). See the following table for an overview of the authentication protocols that you can use with Office.
Office authentication protocols
Client Office version | Authentication protocol | Server |
---|---|---|
Office 2010, Office 2013, Office 2016 |
Forms-Based Authentication (FBA). Forms based authentication uses client-side redirection to forward unauthenticated users to an HTML form where they can enter their credentials. After the credentials are validated, users are redirected to the resources that they requested. |
SharePoint Online |
Office 2010, Office 2013, Office 2016 |
Windows Integrated Authentication (WIA). This is negotiated, as with the Kerberos protocol or NTLM. In this scenario, the operating system provides authentication. |
SharePoint 2010, SharePoint 2013, SharePoint 2016 |
Office 2010, Office 2013, Office 2016 |
SSI, or Passport Tweener, Authentication. When a user provides Windows Live ID credentials or a Microsoft account, the Windows Live ID service returns a passport "ticket" that the client uses to access Windows Live services. |
OneDrive |
Office 2013, Office 2016 |
Open Authorization 2.0 (OAuth 2.0). OAuth 2.0 provides temporary, redirection-based authorization. A user or a web application that acts on behalf of a user can request authorization to temporarily access specified network resources from a resource owner. For more information, see OAuth 2.0. |
OneDrive |
Office 2013, Office 2016 |
Microsoft Online Services Sign-in Assistant. The Microsoft Online Services Sign-In Assistant provides end-user sign-in capabilities to Microsoft Online Services, such as Office 365. For more information about Microsoft Online Services Sign-in Assistant and the IT pro, see Microsoft Online Services Sign-In Assistant for IT Professionals RTW. The download is for distribution to managed client systems as part of an Office 365 client deployment, using Microsoft Configuration Manager or similar software distribution systems. |
Office 365 Services |
Sign in types in Office 2016
Office 2016 supports two types of sign-ins for users: a Microsoft account or an organization ID assigned by Microsoft.
Microsoft account (the user's individual account). This account, previously called Microsoft ID, is the credential users need to authenticate with the Microsoft network. It's used for personal or nonbusiness tasks, like volunteer work. To create a Microsoft account, a user provides a user name and password, certain demographic information, and "account proofs," such as an alternative email address or phone number.
An organization ID that is assigned by Microsoft / Office 365 account ID that is assigned by Microsoft. This account is created for business use. An Office 365 account can be one of three types: a pure Office 365 ID, an Active Directory ID, or an Active Directory Federation Services ID.
Office 365 ID. The Office 365 ID is created when an admin sets up an Office 365 domain and takes the form <user>@<org>.onmicrosoft.com, for example:
An Organization ID assigned by Microsoft that is validated against a user's Active Directory ID.
First, a person who has an [on-premises domain]\<user> account attempts to access organization resources.
Next, the resource requests authentication from the user.
Then, the user types in their organization user name and password.
Finally, that user name and password are validated against the organization AD database, the user is authenticated, and is given access to the requested resource.
- An organization ID assigned by Microsoft and validated against a user's Active Directory Federation Services (AD FS) ID.
First, one person who has an org.onmicrosoft.com attempts to access partner organization resources.
Then, the resource requests authentication from the user.
Next, the user types in their organization user name and password.
Then, that user name and password are validated against the organization AD DS database.
Finally, that same user name and password are passed to the partner's federated AD DS database, the user is authenticated, and is given access to the requested resource.
For on-premises resources, Office 2016 uses the domain\alias user name for authentication. For federated resources, Office 2016 uses the [email protected] user name for authentication.
Use registry settings to determine which ID types to offer a user at sign in
By default, Office 2016 is configured with registry keys. These keys display the user's Microsoft account ID and the organization ID assigned by Microsoft when a user tries to access an Office 2016 resource. But, you can change this setting so that only the Microsoft account is displayed, or their organization ID, or neither. This setting is changed in the computer registry.
To change the Office 2016 logon types offered to the user
From Registry Editor, browse to:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\SignIn\SignInOptions
Set the value of SignInOptions to one of the values in the following table. The type for the SignInOptions setting is DWORD.
SignInOptions settings
If you set SignInOptions to this… | This is what it means | This is the effect on users |
---|---|---|
0 |
Microsoft account or organization ID |
Users can sign in to access Office content with their Microsoft account or an account assigned by their organization. |
1 |
Microsoft account only |
Users can sign in only by using their Microsoft account. |
2 |
Organization only |
Users must sign in with the user ID assigned by their organization. They can use either a user ID in Microsoft Entra ID or a user ID in Active Directory Domain Services (AD DS) on Windows Server. |
3 |
AD DS only |
Users can sign in only by using a user ID in Active Directory Domain Services (AD DS) on Windows Server. |
4 |
None allowed |
Users can't sign in with any ID. |
If you disable, or don't configure, the Block sign-in to Office setting, the default setting is 0, which means that users can sign in by using their Microsoft account or one that is assigned by your organization.
Use a registry setting to prevent a user from connecting to Office 2016 resources on the Internet
By default, Office 2016 gives users access to Office 2016 files that reside on the Internet. You can change this setting so that a user can't see those resources.
To allow or prevent a user from connecting to Office 2016 Internet resources
From Registry Editor, browse to:
Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\UseOnlineContent
Set UseOnlineContent to one of the following values:
Office 2016 UseOnlineContent values
UseOnlineContent value | Value type | Description |
---|---|---|
0 |
DWORD |
Do not allow user to access Office 2016 resources on the Internet. |
1 |
DWORD |
Allow user to opt in to access of Office 2016 resources on the Internet. |
2 |
DWORD |
(Default) Allows the user to access Office 2016 resources on the Internet. |
Delete the Office Profile, and credentials, associated with a removed sign in identity
When a user logs into an Office app using either their Microsoft account ID or their organization ID, the system creates a matching Office profile and credentials for that identity in the registry. The sign-in page provides the user with the option to remove that identity. This option is located just under the 'Not your name?' question, near the user's avatar or photo and name. If users decide to remove one of their identity options, it's removed from the sign-in page. However, the corresponding Office profile and credentials remain in the cache for a short time. If keeping information in the cache creates a security risk, for example, when a user leaves your organization, immediately delete that Office profile setting from the registry.
To delete an Office profile that may still be cached
From Registry Editor, browse to:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities
Choose the Office profile that you want to delete, and then choose Delete.
From the Identity hive, navigate to the Profiles node, choose that same identity, open the shortcut menu (right-click), and then choose Delete.