Hybrid modern authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers
This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.
Modern Authentication is a method of identity management that offers more secure user authentication and authorization. It's available for Office 365 hybrid deployments of Skype for Business server on-premises and Exchange server on-premises, and split-domain Skype for Business hybrids. This article links to related docs about prerequisites, setup/disabling modern authentication, and to some of the related client (ex. Outlook and Skype clients) information.
- What is modern authentication?
- What changes when I use modern authentication?
- Check the modern authentication status of your on-premises environment
- Do you meet modern authentication prerequisites?
- What else do I need to know before I begin?
What is modern authentication?
Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with. It includes:
- Authentication methods: Multifactor authentication (MFA); smart card authentication; client certificate-based authentication
- Authorization methods: Microsoft's implementation of Open Authorization (OAuth)
- Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory (Azure AD) Conditional Access
Managing user identities with modern authentication gives administrators many different tools to use when it comes to securing resources and offers more secure methods of identity management to both on-premises (Exchange and Skype for Business), Exchange hybrid, and Skype for Business hybrid/split-domain scenarios.
Because Skype for Business works closely with Exchange, the login behavior Skype for Business client users will see will be affected by the modern authentication status of Exchange. This will also apply if you have a Skype for Business split-domain hybrid architecture, in which you have both Skype for Business Online and Skype for Business on-premises, with users homed in both locations.
For more information about modern authentication in Office 365, see Office 365 Client App Support - Multi-factor authentication.
As of August of 2017, all new Office 365 tenants that include Skype for Business online and Exchange online will have modern authentication enabled by default. Pre-existing tenants won't have a change in their default MA state, but all new tenants automatically support the expanded set of identity features you see listed above. To check your MA status, see the Check the modern authentication status of your on-premises environment section.
What changes when I use modern authentication?
When using modern authentication with on-premises Skype for Business or Exchange server, you're still authenticating users on-premises, but the story of authorizing their access to resources (like files or emails) changes. This is why, though modern authentication is about client and server communication, the steps taken during configuring MA result in evoSTS (a Security Token Service used by Azure AD) being set as Auth Server for Skype for Business and Exchange server on-premises.
The change to evoSTS allows your on-premises servers to take advantage of OAuth (token issuance) for authorizing your clients, and also lets your on-premises use security methods common in the cloud (like Multi-factor Authentication). Additionally, the evoSTS issues tokens that allow users to request access to resources without supplying their password as part of the request. No matter where your users are homed (of online or on-premises), and no matter which location hosts the needed resource, EvoSTS will become the core of authorizing users and clients once modern authentication is configured.
For example, if a Skype for Business client needs to access Exchange server to get calendar information on behalf of a user, it uses the Microsoft Authentication Library (MSAL) to do so. MSAL is a code library designed to make secured resources in your directory available to client applications using OAuth security tokens. MSAL works with OAuth to verify claims and to exchange tokens (rather than passwords), to grant a user access to a resource. In the past, the authority in a transaction like this one--the server that knows how to validate user claims and issue the needed tokens -- might have been a Security Token Service on-premises, or even Active Directory Federation Services. However, modern authentication centralizes that authority by using Azure AD.
This also means that even though your Exchange server and Skype for Business environments may be entirely on-premises, the authorizing server will be online, and your on-premises environment must have the ability to create and maintain a connection to your Office 365 subscription in the Cloud (and the Azure AD instance that your subscription uses as its directory).
What doesn't change? Whether you're in a split-domain hybrid or using Skype for Business and Exchange server on-premises, all users must first authenticate on-premises. In a hybrid implementation of modern authentication, Lyncdiscovery and Autodiscovery both point to your on-premises server.
If you need to know the specific Skype for Business topologies supported with MA, that's documented right here.
Check the modern authentication status of your on-premises environment
Because modern authentication changes the authorization server used when services leverage OAuth/S2S, you need to know if modern authentication is enabled or disabled for your on-premises Skype for Business and Exchange environments. You can check the status on your Exchange servers by running the following PowerShell command:
Get-OrganizationConfig | ft OAuth*
If the value of the OAuth2ClientProfileEnabled property is False, then modern authentication is disabled.
For more information about the Get-OrganizationConfig cmdlet, see Get-OrganizationConfig.
You can check your Skype for Business servers by running the following PowerShell command:
If the command returns an empty OAuthServers property, or if the value of the ClientADALAuthOverride property is not Allowed, then modern authentication is disabled.
For more information about the Get-CsOAuthConfiguration cmdlet, see Get-CsOAuthConfiguration.
Do you meet modern authentication prerequisites?
Verify and check these items off your list before you continue:
Skype for Business specific
- All servers must have May 2017 cumulative update (CU5) for Skype for Business Server 2015 or later
- Exception - Survivability Branch Appliance (SBA) can be on the current version (based on Lync 2013)
- Your SIP domain is added as a Federated domain in Office 365
- All SFB Front Ends must have connections outbound to the internet, to Office 365 Authentication URLs (TCP 443) and well known certificate root CRLs (TCP 80) listed in Rows 56 and 125 of the 'Microsoft 365 Common and Office' section of Office 365 URLs and IP address ranges.
- All servers must have May 2017 cumulative update (CU5) for Skype for Business Server 2015 or later
Skype for Business on-premises in a hybrid Office 365 environment
- A Skype for Business Server 2019 deployment with all servers running Skype for Business Server 2019.
- A Skype for Business Server 2015 deployment with all servers running Skype for Business Server 2015.
- A deployment with a maximum of two different server versions as listed below:
- Skype for Business Server 2015
- Skype for Business Server 2019
- All Skype for Business servers must have the latest cumulative updates installed, see Skype for Business Server updates to find and manage all available updates.
- There is no Lync Server 2010 or 2013 in the hybrid environment.
If your Skype for Business front-end servers use a proxy server for Internet access, the proxy server IP and Port number used must be entered in the configuration section of the web.config file for each front end.
- C:\Program Files\Skype for Business Server 2015\Web Components\Web ticket\int\web.config
- C:\Program Files\Skype for Business Server 2015\Web Components\Web ticket\ext\web.config
<configuration> <system.net> <defaultProxy> <proxy proxyaddress="https://192.168.100.60:8080" bypassonlocal="true" /> </defaultProxy> </system.net> </configuration>
Be sure to subscribe to the RSS feed for Office 365 URLs and IP address ranges to stay current with the latest listings of required URLs.
Exchange Server specific
- You're using either Exchange server 2013 CU19 and up, Exchange server 2016 CU8 and up, or Exchange Server 2019 CU1 and up.
- There is no Exchange server 2010 in the environment.
- SSL Offloading is not configured. SSL termination and re-encryption is supported.
- In the event your environment utilizes a proxy server infrastructure to allow servers to connect to the Internet, be sure all Exchange servers have the proxy server defined in the InternetWebProxy property.
Exchange Server on-premises in a hybrid Office 365 environment
- If you are using Exchange Server 2013, at least one server must have the Mailbox and Client Access server roles installed. While it is possible to install the Mailbox and Client Access roles on separate servers, we strongly recommend that you install both roles on the same server to provide additional reliability and improved performance.
- If you are using Exchange server 2016 or later version, at least one server must have the Mailbox server role installed.
- There is no Exchange server 2007 or 2010 in the Hybrid environment.
- All Exchange servers must have the latest cumulative updates installed, see Upgrade Exchange to the latest Cumulative Updates to find and manage all available updates.
Exchange client and protocol requirements
The availability of modern authentication is determined by the combination of the client, protocol, and configuration. If modern authentication is not supported by the client, protocol, and/or configuration, then the client will continue to leverage legacy authentication.
The following clients and protocols support modern authentication with on-premises Exchange when modern authentication is enabled in the environment:
Clients Primary Protocol Notes Outlook 2013 and later MAPI over HTTP MAPI over HTTP must be enabled within Exchange in order to leverage modern authentication with these clients (usually enabled or True for new installs of Exchange 2013 Service Pack 1 and above); for more information see How modern authentication works for Office 2013 and Office 2016 client apps.
Ensure you are running the minimum required build of Outlook; see Latest updates for versions of Outlook that use Windows Installer (MSI).
Outlook 2016 for Mac and later Exchange Web Services Outlook for iOS and Android Microsoft sync technology See Using hybrid Modern Authentication with Outlook for iOS and Android for more information. Exchange ActiveSync clients (e.g., iOS11 Mail) Exchange ActiveSync For Exchange ActiveSync clients that support modern authentication, you must recreate the profile in order to switch from basic authentication to modern authentication.
Clients and/or protocols that are not listed (e.g., POP3) do not support modern authentication with on-premises Exchange and continue to leverage legacy authentication mechanisms even after modern authentication is enabled in the environment.
Resource forest scenarios will require a two-way trust with the account forest to ensure proper SID lookups are performed during hybrid modern authentication requests.
If you use AD FS, you should have Windows 2012 R2 AD FS 3.0 and above for federation.
Your identity configurations are any of the types supported by Azure AD Connect, such as password hash sync, pass-through authentication, and on-premises STS supported by Office 365.
You have Azure AD Connect configured and functioning for user replication and sync.
You have verified that hybrid is configured using Exchange Classic Hybrid Topology mode between your on-premises and Office 365 environment. Official support statement for Exchange hybrid says you must have either current CU or current CU - 1.
Hybrid modern authentication is not supported with the Hybrid Agent.
Make sure both an on-premises test user, as well as a hybrid test user homed in Office 365, can login to the Skype for Business desktop client (if you want to use modern authentication with Skype) and Microsoft Outlook (if you want to use modern authentication with Exchange).
What else do I need to know before I begin?
- All the scenarios for on-premises servers involve setting up modern authentication on-premises (in fact, for Skype for Business there is a list of supported topologies) so that the server responsible for authentication and authorization is in the Microsoft Cloud (Azure AD's security token service, called 'evoSTS'), and updating Azure AD about the URLs or namespaces used by your on-premises installation of either Skype for Business or Exchange. Therefore, on-premises servers take on a Microsoft Cloud dependency. Taking this action could be considered configuring 'hybrid auth'.
- This article links out to others that will help you choose supported modern authentication topologies (necessary only for Skype for Business), and how-to articles that outline the setup steps, or steps to disable modern authentication, for Exchange on-premises and Skype for Business on-premises. Favorite this page in your browser if you're going to need a home-base for using modern authentication in your server environment.
- How to configure Exchange Server on-premises to use Modern Authentication
- Skype for Business topologies supported with Modern Authentication
- How to configure Skype for Business on-premises to use Modern Authentication
- Removing or disabling Hybrid Modern Authentication from Skype for Business and Exchange