Modern Authentication using Azure MFA across Exchange and Lync/SfB Hybrid Options

Updated – 25/01/2017 – This article still generates a lot of questions so I thought best to update and clarify some of the comments.

As part of the work I have been doing on Modern Authentication I thought I would share a table which is useful to understand how the Office clients authenticate in a mixed hybrid environment. Note: currently SfB Online is NOT supported by ADAL (modern authentication) but once it is this will be the model. It is also now supported with SfB On-Premises but ONLY with SfB 2015 running at least the March 2016 updates. However the environment needs to be a pure on premises and NOT hybrid as this is still not supported. It should also be noted that if Exchange is wholly in O365 then you must also reference the following article to allow the fat clients to work.

I would also like to point out this article for further reference by Trevor Miller – https://ucvnext.org/2016/02/office365-modern-authentication-skype4b-hybrid-exchange-hybrid/

As well as this one – https://technet.microsoft.com/en-gb/library/mt710548.aspx

Modern Authentication using MFA

Clients and Office 365 tenants enabled for OAuth/strong> Skype for Business on-premises Skype for Business Online (Office 365)
Exchange On-premises OAuth flows are supported against on-premises SfB 2015 only running March 2016 CU.

Which authentication method will Skype for Business use?

The client will use NTLM/Kerb/Nego to connect to both Exchange and Skype for Business servers.

What happens if MFA is enabled?

MFA challenges should be respected in this topology

What does this mean for the end user?

The MS statement is this currently still isn’t supported. – https://www.youtube.com/watch?v=O9JChbPhFZc&feature=youtu.be&t=47m37s

Which authentication method will Skype for Business use?

The client will use OAuth against Skype for Business Online tenant, and NTLM/Kerb/Nego against Exchange on premises.

 

 

What happens if MFA is enabled?

True MFA in Skype for Business (Azure MFA or Azure AD MFA)

What does this mean for the end user?

Currently I have no direction on what will happen with on premises Exchange but you would need to be running at least 2013.

Exchange Online (Office 365) Which authentication method will Skype for Business use?

The client will use NTLM/Kerb/Nego to connect to Skype for Business on-premises, and IDCRL to connect to Exchange Online.

What happens if MFA is enabled?

MFA challenges will not be respected in this topology.

What does this mean for the end user?

Modern Authentication will not work unless you run the regfix

RECOMMENDED

Which authentication method will Skype for Business use?

The client will use OAuth against both Exchange and Skype for Business Online tenants.

What happens if MFA is enabled?True MFA in Skype for Business (Azure MFA or Azure AD MFA)

 

What does this mean for the end user?

Modern Authentication will  work if you are running a pure SfB Online with no hybrid or spilt domain

The main items to bear in mind here is that when using Lync/SfB on premise generally because of Enterprise Voice currently MFA will NOT be respected by the client.

Legacy Authentication using App Passwords with Azure MFA

Legacy Auth (IDCRL, using App Passwords) Skype for Business on-premises Skype for Business Online (Office 365)
Exchange On-premises N/A

On-premises server products do not support app passwords.

Which authentication method will Skype for Business use?

The client will use IDCRL against Skype for Business Online tenant, and NTLM/Kerb/Nego against Exchange on premises.

What happens if App Passwords are enabled?

App Passwords prompts will show up in Skype for Business.

Prompting behavior

Users may see multiple prompts (for two different passwords) from Skype for Business client attempting to connect to Skype for Business server and Exchange.

Exchange Online (Office 365) Which authentication method will Skype for Business use?

The client will use NTLM/Kerb/Nego against Skype for Business on premises tenant, and IDCRL against Exchange on premises.

What happens if App Passwords is enabled?

App Passwords in Skype for Business for connectivity to Exchange. We recommend users log in with app passwords first and then use their domain credentials if needed.

Prompting behavior

Users may see multiple prompts (for two different passwords) from Skype for Business client attempting to connect to Skype for Business and Exchange.

RECOMMENDED

Which authentication method will Skype for Business use?

The client will use IDCRL against both Exchange and Skype for Business Online tenants.

What happens if App Passwords are enabled?

Users will have to use App Passwords instead of their domain passwords in Skype for Business.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s