Microsoft Outlook uses authentication libraries to connect to Microsoft 365 services. The older Azure Active Directory Authentication Library, called ADAL, is being replaced by the Microsoft Authentication Library, called MSAL. ADAL will stop working with Exchange Online in 2025. This article explains the difference between ADAL and MSAL, why MSAL is the required authentication path, and how to force Outlook to use MSAL instead of ADAL on Windows 10 and Windows 11.
Key Takeaways: Forcing MSAL in Outlook
- Registry key HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover: Set this DWORD value to 1 to force Outlook to use MSAL-based Modern Authentication instead of ADAL.
- Registry value ADALDisable under HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity: Set this DWORD to 0 to ensure ADAL is enabled before the MSAL switch takes effect.
- Outlook version 2304 or newer: Only these builds support the MSAL path. Older Outlook versions ignore the registry override and fall back to ADAL.
Why Microsoft Replaced ADAL with MSAL
ADAL was the first authentication library for Azure Active Directory, introduced with Office 2013. It handled token requests for Exchange Online, SharePoint Online, and Skype for Business. ADAL works only with Azure Active Directory v1.0 endpoints, which do not support modern security features like conditional access, continuous access evaluation, and passwordless authentication.
MSAL uses the Microsoft identity platform v2.0 endpoint. This endpoint supports personal Microsoft accounts, work and school accounts, and Azure AD B2C. MSAL also supports device code flow, broker authentication on mobile, and token cache improvements that reduce repeated login prompts. Microsoft announced in 2022 that Exchange Online will block ADAL-based requests starting in 2025. Outlook must use MSAL to authenticate after that date.
ADAL vs MSAL: Key Technical Differences
ADAL uses the Azure AD v1.0 endpoint. This endpoint only accepts work and school accounts. It does not support the Microsoft Graph API directly. MSAL uses the v2.0 endpoint, which accepts both work and personal accounts and supports the Microsoft Graph API. MSAL also handles token refresh more efficiently by using a distributed token cache that works across Outlook, Teams, and other Office apps.
ADAL sends the username as a hint during login. MSAL sends the username as a login hint and supports the login_hint parameter for silent authentication. MSAL also supports the claims parameter, which allows conditional access policies to request specific claims from the user, such as multi-factor authentication or device compliance.
Steps to Force Outlook to Use MSAL Instead of ADAL
Before forcing MSAL, confirm that your Outlook version is 2304 or newer. Open Outlook, go to File > Office Account > About Outlook. The build number appears in the dialog. If the build is below 2304, update Outlook through File > Office Account > Update Options > Update Now.
The following steps modify the Windows Registry to force Outlook to use MSAL authentication. Back up the registry before making changes.
- Open Registry Editor as Administrator
Press Windows key + R, typeregedit, and press Enter. Click Yes in the User Account Control prompt. - Navigate to the Identity Key
Go toHKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity. If the Identity key does not exist, right-click the Common key, select New > Key, and name it Identity. - Enable ADAL First (Required for MSAL Fallback)
Right-click the Identity key, select New > DWORD (32-bit) Value, and name itADALDisable. Set the value to0. This ensures ADAL is enabled as a fallback if MSAL fails. - Navigate to the Exchange Key
Go toHKEY_CURRENT_USER\Software\Microsoft\Exchange. If the Exchange key does not exist, right-click the Microsoft key, select New > Key, and name it Exchange. - Create the MSAL Force Registry Value
Right-click the Exchange key, select New > DWORD (32-bit) Value, and name itAlwaysUseMSOAuthForAutoDiscover. Set the value to1. - Close Registry Editor and Restart Outlook
Exit Registry Editor. Close Outlook completely. Wait 30 seconds, then restart Outlook. The next authentication attempt will use MSAL.
Verify MSAL Is Being Used
Open Outlook while holding the Ctrl key. In the Outlook startup dialog, select the profile you use for Exchange Online. When the login prompt appears, check the browser address bar. If the URL contains login.microsoftonline.com and includes microsoft_auth or msal in the query string, MSAL is active. If the URL contains login.windows.net or login.live.com, ADAL is still being used.
If Outlook Still Uses ADAL After the Registry Change
Some configurations override the registry setting. The following issues explain why Outlook may still use ADAL and how to fix each one.
Outlook Version Is Older Than 2304
Outlook builds before 2304 ignore the AlwaysUseMSOAuthForAutoDiscover registry value. Update Outlook to version 2304 or newer. Open File > Office Account > Update Options > Update Now. After the update, restart Outlook and test authentication again.
Exchange Online Tenant Has ADAL Disabled at the Tenant Level
Some tenants disable Modern Authentication for Exchange Online. Run the following command in Exchange Online PowerShell: Get-OrganizationConfig | fl Name, OAuth. If OAuth2ClientProfileEnabled is set to False, run Set-OrganizationConfig -OAuth2ClientProfileEnabled $true. This enables OAuth 2.0 for the entire tenant.
Outlook Profile Is Using Basic Authentication with POP3 or IMAP
The MSAL path only works with Exchange Online accounts configured as Exchange ActiveSync or MAPI over HTTP. If the profile uses POP3 or IMAP, Outlook cannot use MSAL. Remove the POP3 or IMAP account and add it as an Exchange account. Go to File > Account Settings > Account Settings, select the account, and click Change. Ensure the server type is Microsoft Exchange.
ADAL vs MSAL: Feature Comparison Table
| Item | ADAL | MSAL |
|---|---|---|
| Azure AD endpoint | v1.0 (login.windows.net) | v2.0 (login.microsoftonline.com) |
| Account types supported | Work and school only | Work, school, and personal Microsoft accounts |
| Conditional access support | Limited | Full (claims-based, CAE, passwordless) |
| Token cache | Per-application cache | Distributed cache across Office apps |
| Microsoft Graph support | No | Yes |
| Device code flow | No | Yes |
| End-of-life date | 2025 (Exchange Online blocks ADAL) | Active development |
Conclusion
You can force Outlook to use MSAL authentication by setting the AlwaysUseMSOAuthForAutoDiscover registry value to 1 under the Exchange key. This change requires Outlook version 2304 or newer and that Modern Authentication is enabled in your tenant. After the registry change, Outlook uses the v2.0 endpoint, which supports conditional access, continuous access evaluation, and passwordless logins. If Outlook still uses ADAL, check the Outlook version, tenant OAuth settings, and account protocol type. Test the MSAL path by holding Ctrl while starting Outlook and inspecting the login URL.