Move users in Skype for Business Control Panel with MFA

Scenario:

  • Skype for Business Server 2015 (CU6)
  • Skype for Business Online, Windows PowerShell Module (Build: 6.0.9276.0)
  • Skype for Business Pool configured in Hybrid Mode
  • Skype for Business On-Premises administrator account has Multi-Factor Authentication(MFA) in Office 365

Problem:

  • When you have this setup, in Skype for Business Server 2015 Control Panel, you try to move users from On-Premises to Online or vice-versa, but you cannot authenticate with your administrative account in Office 365 services.
    • Error: "Get-CsWebTicket : Failed to logon with given credentials. Make sure correct user name and password provided. "

    • Currently the Skype for Business Control Panel do not support multi-factor authentication.

Solution:

EXTRA:

  • You might face the same problem when trying to move users, using the Skype for Business Powershell, and fails as well because of the MFA, when connecting to Office 365:
    • Error: "Move-CsUser : Failed to logon with given credentials. Make sure correct user name and password provided. "
  • Solution: The same as explained in the scenario above.

 

More Resources:

  • Step-By-Step: Skype for Business 2015 Hybrid Configuration

  • Move users to Skype for Business Online

  • Move users from Skype for Business Online to on premises

    Solution:

    - **Option 1:**
          - Since Skype for Business Control Panel don't support two-step verification we will need to to set up an "app password" for our Office 365 admin account that has MFA enabled.
              - [What are App Passwords in Azure Multi-Factor Authentication?](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/multi-factor-authentication-end-user-app-passwords)
              - [Create an app password for Office 365](https://support.office.com/en-us/article/create-an-app-password-for-office-365-3e7c860f-bda4-4441-a618-b53953ee1183)
    
      - **Option 2:**
          - Remove the MFA from the administrative account.  
              - [Set up multi-factor authentication for Office 365 users](https://support.office.com/en-us/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6)
    
      - **Option 3:**
          - If you enforce Multi-Factor Authentication through Conditional Access policies and not through per-user MFA, you cannot create app passwords. In this case you can create an account in the domain "XXX.onmicrosoft.com" to connect to Office 365.
    
    ## **EXTRA:**
    
    - You might face the same problem when trying to move users, using the Skype for Business Powershell, and fails as well because of the MFA, when connecting to Office 365:  
          - Error: "*Move-CsUser : Failed to logon with given credentials. Make sure correct user name and password provided.* "![](https://msdnshared.blob.core.windows.net/media/2018/01/controlPanel02.jpg)
    
    - **Solution:** The same as explained in the scenario above.
    
    ### More Resources:
    
    - [Step-By-Step: Skype for Business 2015 Hybrid Configuration](https://blogs.technet.microsoft.com/canitpro/2015/12/23/step-by-step-skype-for-business-2015-hybrid-configuration/)
    - [Move users to Skype for Business Online](https://technet.microsoft.com/en-us/library/jj204969.aspx)
    - [Move users from Skype for Business Online to on premises](https://technet.microsoft.com/en-us/library/dn689117.aspx)