Once you enable HMA, a client’s next login will use the new auth flow. When you’re ready to change the authentication flow, run this command in the Skype for Business Management Shell.įinally we can verify if the clients will use for the next login HMA. All the previous steps can be run ahead of time without changing the client authentication flow. This is the step that actually turns on MA. Set-CsOAuthConfiguration -ClientAuthorizationOAuthServerIdentity evoSTS New-CsOAuthServer -Identity evoSTS -MetadataURL -AcceptSecurityIdentifierInformation $true -Type AzureADįinally we need to enable the Hybrid Modern Authentification for the on-premise Skype for Business server as follow. Run the following command in your on-premises Skype for Business Management Shell to create the EvoSTS Auth Server Object. Compare the list or screenshot from before to the new list of SPNs. Verify your new records were added by running the Get-MsolServicePrincipal command from step 2 again, and looking through the output. So in my case I have to add as follows $x= Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 Set-MSOLServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames If the internal or external SFB URLs from on-premises are missing (for example, and ) we will need to add those specific records to this list.īe sure to replace the example URLs below with your actual URLs in the Add commands! $x= Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 Take note of (and screenshot for later comparison) the output of this command, which will include an SE and WS URL, but mostly consist of SPNs that begin with 00000004-0000-0ff1-ce00-000000000000/.
The Application ID 00000004-0000-0ff1-ce00-000000000000 belongs to Skype for Business Online which you can see in Azure Enterprise applications. Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 | Select -ExpandProperty ServicePrincipalNames # For your SFB-related URLs, type the following command: Now we need to connect to the Azure AD using the Connect-MsolService command as follows. Clients authenticating to a server make use of information that’s contained in SPNs. Note Service principal names (SPNs) identify web services and associate them with a security principal (such as an account name or group) so that the service can act on the behalf of an authorized user. Now you’ll need to run commands to add the URLs (collected earlier) as Service Principals in SFBO. Now we need to add our on-premises web services URLs as SPNs in Azure AD. In this case, use the pool fqdn for the internal URL. If you’re using a Standard Edition server as in my case, the internal URL will be blank.
Get-CsService -WebServer | Select-Object PoolFqdn, InternalFqdn, ExternalFqdn | FL To obtain these, run the following from Skype for Business Management Shell:
You’ll need internal and external web service URLs for all SfB pools deployed. The GUID that represents your Office 365 tenant (at the login of ). Turn on Modern Authentication for Skype for Business Onlineīefore you enable modern authentification for your on-premises environment, please check that you enabled it first for Skype for Business Online.įollow the instructions here: Skype for Business Online: Enable your tenant for modern authentication.įirst we will create a file to hold the info you’ll need for configuring HMA in the steps ahead.Įx.
#What is the authenicator app for skype how to
How to configure Skype for Business on-premises to use Hybrid Modern Authentication I will use the following post from Microsoft to configure it. Modern Authentication, is a method of identity management that offers more secure user authentication and authorization, is available for Skype for Business server on-premises and Exchange server on-premises, and split-domain Skype for Business hybrids. Now we can configure our on-premises Skype for Business Server to use Hybrid Modern Authentication. Skype for Business topologies supported with Modern Authentication
If the command returns an empty OAuthServers property, or if the value of the ClientADALAuthOverride property is not Allowed, then modern authentication is disabled.įor more information about the Get-CsOAuthConfiguration cmdlet, see Get-CsOAuthConfiguration.Īlso on my on-premises Skype for Business server in my lab environment, modern authentication is disabled.Īfter that check if your on-premises environment meets the prerequisites for modern authentication. First we check the status on our on-premises Skype for Business Server by running the following PowerShell command: