Modern Authentication using Azure MFA across Exchange and Lync/SfB Hybrid Options

Updated – 25/01/2017 – This article still generates a lot of questions so I thought best to update and clarify some of the comments.

As part of the work I have been doing on Modern Authentication I thought I would share a table which is useful to understand how the Office clients authenticate in a mixed hybrid environment. Note: currently SfB Online is NOT supported by ADAL (modern authentication) but once it is this will be the model. It is also now supported with SfB On-Premises but ONLY with SfB 2015 running at least the March 2016 updates. However the environment needs to be a pure on premises and NOT hybrid as this is still not supported. It should also be noted that if Exchange is wholly in O365 then you must also reference the following article to allow the fat clients to work.

I would also like to point out this article for further reference by Trevor Miller – https://ucvnext.org/2016/02/office365-modern-authentication-skype4b-hybrid-exchange-hybrid/

As well as this one – https://technet.microsoft.com/en-gb/library/mt710548.aspx

Modern Authentication using MFA

Clients and Office 365 tenants enabled for OAuth/strong> Skype for Business on-premises Skype for Business Online (Office 365)
Exchange On-premises OAuth flows are supported against on-premises SfB 2015 only running March 2016 CU.

Which authentication method will Skype for Business use?

The client will use NTLM/Kerb/Nego to connect to both Exchange and Skype for Business servers.

What happens if MFA is enabled?

MFA challenges should be respected in this topology

What does this mean for the end user?

The MS statement is this currently still isn’t supported. – https://www.youtube.com/watch?v=O9JChbPhFZc&feature=youtu.be&t=47m37s

Which authentication method will Skype for Business use?

The client will use OAuth against Skype for Business Online tenant, and NTLM/Kerb/Nego against Exchange on premises.

 

 

What happens if MFA is enabled?

True MFA in Skype for Business (Azure MFA or Azure AD MFA)

What does this mean for the end user?

Currently I have no direction on what will happen with on premises Exchange but you would need to be running at least 2013.

Exchange Online (Office 365) Which authentication method will Skype for Business use?

The client will use NTLM/Kerb/Nego to connect to Skype for Business on-premises, and IDCRL to connect to Exchange Online.

What happens if MFA is enabled?

MFA challenges will not be respected in this topology.

What does this mean for the end user?

Modern Authentication will not work unless you run the regfix

RECOMMENDED

Which authentication method will Skype for Business use?

The client will use OAuth against both Exchange and Skype for Business Online tenants.

What happens if MFA is enabled?True MFA in Skype for Business (Azure MFA or Azure AD MFA)

 

What does this mean for the end user?

Modern Authentication will  work if you are running a pure SfB Online with no hybrid or spilt domain

The main items to bear in mind here is that when using Lync/SfB on premise generally because of Enterprise Voice currently MFA will NOT be respected by the client.

Legacy Authentication using App Passwords with Azure MFA

Legacy Auth (IDCRL, using App Passwords) Skype for Business on-premises Skype for Business Online (Office 365)
Exchange On-premises N/A

On-premises server products do not support app passwords.

Which authentication method will Skype for Business use?

The client will use IDCRL against Skype for Business Online tenant, and NTLM/Kerb/Nego against Exchange on premises.

What happens if App Passwords are enabled?

App Passwords prompts will show up in Skype for Business.

Prompting behavior

Users may see multiple prompts (for two different passwords) from Skype for Business client attempting to connect to Skype for Business server and Exchange.

Exchange Online (Office 365) Which authentication method will Skype for Business use?

The client will use NTLM/Kerb/Nego against Skype for Business on premises tenant, and IDCRL against Exchange on premises.

What happens if App Passwords is enabled?

App Passwords in Skype for Business for connectivity to Exchange. We recommend users log in with app passwords first and then use their domain credentials if needed.

Prompting behavior

Users may see multiple prompts (for two different passwords) from Skype for Business client attempting to connect to Skype for Business and Exchange.

RECOMMENDED

Which authentication method will Skype for Business use?

The client will use IDCRL against both Exchange and Skype for Business Online tenants.

What happens if App Passwords are enabled?

Users will have to use App Passwords instead of their domain passwords in Skype for Business.

 

Advertisements

Office 365 Modern Authentication using ADAL

I have spent the last few weeks testing and trying the various setups with Azure MFA when using modern authentication using Office 2016 ProPlus and thought I would share my experiences.

In general the process is pretty slick and seamless to the end user the main areas of concern is the lack of public information on the matter. There are various discussion articles which are all linked below. However it should be made clear that although Office 2013 and 2016 can support modern authentication Office 365 is NOT fully supported and is still currently in a public preview.

The workloads supported are SharePoint Online, the Office 365 tenant, Intune, Azure AD, Exchange Online (limited support – Also note ActiveSync will still require App Passwords if Azure MFA is enforced). Most mobile applications Outlook/OneDrive/Outlook Groups/RMS Sharing/Intune Company Portal do support MFA however I have found the Delve application currently doesn’t

Unsupported Workloads – Skype for Business Online – However the Skype for Business client does support Modern Authentication, however when using Lync/SfB On premise the client struggles to establish connection as authentication fails to Exchange Online to pull information. However if you want to use SfB Online then you can continue with App Passwords if this is a required workload.

https://blogs.office.com/2015/03/23/office-2013-modern-authentication-public-preview-announced/

Although you can request via this page to turn on your tenant for Modern Authentication the PowerShell command is actually enabled for admins already which is:

set-organizationconfig -oauth2clientprofileEnabled $true to turn this off run the command again with $false

Now leaving this on does not affect client authentication if you are NOT enforcing Azure MFA this will only come into play when Azure MFA is turned on!

Now to the client Office 2013/16 supports modern authentication,  however when using 2013 you need to add the registry key that is detailed here – https://support.office.com/en-gb/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910?ui=en-US&rs=en-GB&ad=GB for Office 2016 you do not need the registry key although if you do put it on the machine it won’t harm the client

To setup Azure MFA the following article discusses how to do this for the users – https://support.office.com/en-US/article/Set-up-multi-factor-authentication-for-Office-365-8f0454b2-f51a-4d9c-bcde-2c48e41621c6

The last item to bear in mind is ADFS Client Access policies you must be running at least ADFS 3.0 however not all policies are supported as discussed here – http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx and you should also ensure you have configured ADFS with the additional rule as discussed here – https://azure.microsoft.com/en-gb/documentation/articles/multi-factor-authentication-get-started-adfs-cloud/

Now the main rule that doesn’t work is “Block all External Access to O365 expect Browser Based apps”, currently this also doesn’t work and if you want to block client access you will need to do this via conditional access policies in Intune or Azure AD – https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-on-premises-setup/?rnd=1 However it should be noted you need to be running your schema level to at least 2012 R2 within your forest and their are a multitude of gotchas described in the article.

So overall this should hopefully give you some further food for thought and clarity on Modern Authentication using Azure MFA!