5 Tips for Skype for Business Modern Authentication Scenarios

The world is adopting multi-factor authentication, and Microsoft is rapidly adding support in their server, services, and clients to support it. Microsoft’s name for multi-factor support is Modern Authentication (MA) and support has been added for Skype for Business Server (SfB), Exchange Server, and more recently, the equivalent online cloud services (Exchange Online and Skype for Business Online).

In practice, with potentially a decade of legacy client versions, and a now matrix of possible SfB and Exchange hybrid topologies, supporting MA for all the users in an enterprise requires some planning.

There is plenty of good documentation about how to enable MA both on-premises and online. This article highlights 5 specific things you’ll want to have answers to before enabling MA in an enterprise.

1. Pay Attention to Supported Topologies for Hybrid – Especially the Supported Exchange Topologies

As we all know, Skype for Business (SfB) is highly integrated (and therefore dependent) on Exchange, which increases the matrix of topology scenarios. MA is not supported in all scenarios of Exchange and SfB MA, or requires special configuration. There is a very good TechNet article which clearly describes what mix of Exchange on-premises, SfB on-premises, Exchange Online, and SFBO topologies support MA:

> Skype for Business topologies supported with Modern Authentication (https://technet.microsoft.com/en-us/library/mt803262.aspx#Modern Authentication in Skype for Business)

I want to highlight a couple key points:

  • Exchange Integration and Mobile Clients will not work for SFB on-premises with MA and Exchange on-premises with no MA.
  • Exchange On-Premises and SFBO with MA is Supported (a common scenario). Azure AD needs to be the identity provider for SFBO, and on-premises AD needs to be the identity provider for Exchange on-premises.
  • Multiple Prompts for Users: the TechNet article referenced above calls out an important point that will happen if MA is not enabled equally across all the server resource the SfB clients are using (e.g. the related Exchange resources):

    “It’s very important to note that users may see multiple prompts in some cases, notably where the MA state is not the same across all the server resources that clients may need and request, as is the case with all versions of the Mixed topologies. Also note that in some cases (Mixed 1, 3, and 5 specifically) an AllowADALForNonLynIndependentOfLync registry key must be set for proper configuration for Windows Desktop Clients

2. Plan for Client Support

If SfB has been used in an organization for several years, there are likely a wide variety of clients out in the wild such as older Lync clients on unmanaged devices, Office 2013 and Office 2016 clients, and mix of mobile Android, iOS, and Windows Phone versions.

A summary of the various client applications and the associated modern authentication support for Office 365 is available here: Updated Office 365 modern authentication. In a nutshell, any Skype for Business client version that is not part of Office 2016 (or later) will not have built in support for Modern Authentication.

For the Skype for Business client specifically, here is a summary of that support:

  • Office 2016 – built-in support
  • Office 2013 – and updated client and two registry keys are required (see Enable Modern Authentication for Office 2013 on Windows devices)
  • iOS – yes, but watch the caveat if you are in a SfB hybrid shared namespace scenario (see below)
  • Android – yes, but watch the caveat if you are in a SfB hybrid shared namespace scenario (see below)
  • Windows Phone – not supported yet

The supported client list is similar for Skype for Business Server on-premises

3. App Passwords can be used for Legacy Skype for Business and Lync Clients using Office 365

There is another option for legacy non-MA clients (e.g. Office 2013) clienst This is a somewhat cumbersome option for end users, but a viable option for those users that require legacy clients (client versions that do not natively support MA such as Microsoft Lync and Skype for Business client in Office 2013).

The App Password option involves the end user signing into the Office 365 portal and creating a special app password that is used in legacy clients and bypasses MA. The big drawbacks are that the app password is yet another password the user needs to have available and ready to use. It is auto-generated and difficult to enter on a mobile device.

The process of a end-user configuring an app password is described here: Set up multi-factor authentication for Office 365 users.

One major limitation to be aware of is that this option is not available in hybrid as described here :

App passwords don’t work in hybrid environments where clients communicate with both on-premises and cloud autodiscover endpoints. Domain passwords are required to authenticate on-premises. App passwords are required to authenticate with the cloud.

4. Mobile Clients will not Work if MA is Enabled for SfB Server On-Premises and SfB Online in Hybrid

This one scenario is easy to overlook, so I wanted to highlight it.

From: https://support.microsoft.com/en-us/help/3126604/skype-for-business-mobile-users-can-t-sign-in-when-modern-authenticati

Modern Authentication for mobile clients is not yet supported in the following deployment topologies:

  • Exchange Online with Modern Authentication turned on and Skype for Business on-premises without Modern Authentication turned on.
  • Skype for Business Server 2015 and Skype for Business Online in a split domain hybrid configuration (for example, SharedSIPAddressSpace = true) with Modern Authentication turned on for both Skype for Business Server and Skype for Business Online

5. Update those Mobile Clients

Even with supported MA topologies, I’ve seen mobile clients have sign-in problems after MA has been enabled. Several times updating the mobile client – specially iOS – the latest-and-greatest as solved the issue. There are also mobile client side logs which can be useful in tracking down MA sign-in problems.

For example, one user could not sign in with MFA for the iOS Skype for Business client version 6.10.1.0.  Upgrading to 6.17.3 (released Nov 15, 2017) worked.

More Information

Be Sociable, Share!

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>