The conditional access flow of the other Office apps

Microsoft_WordThis week something similar to last week, this week I’ll be looking at the conditional access flow of the other Office apps. By that I basically mean every Microsoft app, connecting to Office 365, using modern authentication, except for the Outlook app for iOS and Android. Like last week I’ll be looking at a high-level from a component perspective. It will be like a what-happens-when-and-where flow. The biggest difference with the Outlook app for iOS and Android is that the other Office apps don’t use the Outlook Cloud Service and instead go directly, with their access token, to Office 365.

Before I’ll start with the what-happens-when-and-where flow, I think it’s important to again first provide a bit of information about Active Directory Authentication Library (ADAL)-based authentication and the Open Authentication (OAuth) protocol in combination with Office 365. These components make the what-happens-when-and-where flow. During this post I’ll use the Word app as an example for the other Office apps.

ADAL-based authentication

The Word app uses ADAL-based authentication to access Office 365. ADAL-based authentication enables the Word app to use browser-based authentication with Office 365 and facilitates a sign-in with Azure AD. This allows the end-user to sign in directly to the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, instead of providing credentials directly to the Word app.

OAuth for Office 365

The ADAL-based sign-in enables OAuth for Office 365 accounts. By enabling OAuth it provides the Word app with a secure mechanism to access email without requiring access to end-user credentials. At sign-in, the end-user authenticates directly with the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, and receives an access token in return. That token grants the Word app access to the appropriate content in Office 365.

Conditional access flow

Now let’s have a look at how everything fits together in the what-happens-when-and-where flow for conditional access of the Word app.


1. Authenticate user and device – The Word app uses ADAL-based authentication to authenticate the end-user with Azure AD.
A. Not compliant/ registered – When the device of the end-user is not compliant, or not registered, the end-user will receive a message to enroll the device including a link to the Company Portal app.
B. Register device | Enroll device – When the end-user performs the required activities, the device will be registered in Azure AD and the device will be enrolled in Microsoft Intune.
C. Set device management/ compliance status – After the device is enrolled it has to be evaluated by Microsoft Intune to see if it’s compliant with the company policies. When the device is considered compliant, the required properties in Azure AD will be set (DeviceId, isManaged and MDMStatus).
2. Issue access token – When the device is registered and compliant, the Word app gets the access token and the refresh token that are required for accessing the Office 365.
3. Access with AAD token – The Word app provides the access token to Office 365.
4. Access to content provided – Based on the access token Office 365 will provide the end-user with access to the company content in the Word app.

More information

For more information about the Office apps, conditional access and SharePoint Online, please refer to the following links:

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.