Hybrid Modern Authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers
This article applies to both Office 365 Enterprise and Microsoft 365 Enterprise.
Modern Authentication is a method of identity management that offers more secure user authentication and authorization. It's available for Office 365 hybrid deployments of Skype for Business server on-premises and Exchange server on-premises, as well as, split-domain Skype for Business hybrids. This article links to related docs about prerequisites, setup/disabling Modern Authentication, and to some of the related client (ex. Outlook and Skype clients) information.
What is Modern Authentication?
When talking about communication between a client (for example, your laptop or your phone) and a server, Microsoft uses the phrase 'Modern authentication'.
Modern authentication is an umbrella term for a combination of authentication and authorization methods, as well as some security measures that rely on access policies that you may already be familiar with. It includes:
Authentication methods: Multi-factor Authentication; Client Certificate-based authentication.
Authorization methods: Microsoft's implementation of Open Authorization (OAuth).
Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory Conditional Access.
Managing user identities with Modern Authentication gives administrators many different tools to use when it comes to securing resources and offers more secure methods of identity management to both on-premises (Exchange and Skype for Business), Exchange hybrid, and Skype for Business hybrid/split-domain scenarios.
Be aware that because Skype for Business works closely with Exchange, the login behaviour Skype for Business client users will see will be effected by the Modern Authentication status of Exchange. This will also apply if you have a Skype for Business split-domain hybrid. Also, the type of Skype for Business Hybrid that supports the use of Modern Authentication is often called a 'split-domain' (in a split-domain, you have both Skype for Business Online and Skype for Business on-prem, and users are homed in both locations).
Did you know that, as of August of 2017, all new Office 365 tenants that include Skype for Business online and Exchange online will have Modern Authentication enabled by default? Pre-existing tenants won't have a change in their default MA state, but all new tenants automatically support the expanded set of identity features you see listed above. To check your MA status for Skype for Business online, you can use Skype for Business online PowerShell with Global Admin credentials. Run
Get-CsOAuthConfiguration to check the output of -ClientADALAuthOverride. If -ClientADALAuthOverride is 'Allowed' your Modern Authentication is on.
What changes when I use Modern Authentication?
When using Modern Authentication with on-premises Skype for Business or Exchange server, you're still authenticating users on-premises, but the story of authorizing their access to resources (like files or emails) changes. This is why, though Modern Authentication is about client and server communication, the steps taken during configuring MA result in evoSTS (a Security Token Service used by Azure AD) being set as Auth Server for Skype for Business and Exchange server on-premises.
The change to evoSTS allows your on-premises servers to take advantage of OAuth (token issuance) for authorizing your clients, and also lets your on-premises use security methods common in the cloud (like Multi-factor Authentication). Additionally, the evoSTS issues tokens that allow users to request access to resources without supplying their password as part of the request. No matter where your users are homed (of online or on-premises), and no matter which location hosts the needed resource, EvoSTS will become the core of authorizing users and clients once Modern Authentication is configured.
Here's an example of what I mean. If Skype for Business client needs to access Exchange server to get calendar information on behalf of a user, it uses the Active Directory Authentication Library (ADAL) to do so. ADAL is a code library designed to make secured resources in your directory available to client applications using OAuth security tokens. ADAL works with OAuth to verify claims and to exchange tokens (rather than passwords), to grant a user access to a resource. In the past, the authority in a transaction like this one -- the server that knows how to validate user claims and issue the needed tokens -- might have been a Security Token Service on-premises, or even Active Directory Federation Services. However, Modern Authentication centralizes that authority with Azure Active Directory (Azure AD) in the Cloud.
This also means that even though your Exchange server and Skype for Business environments may be entirely on-premises, the authorizing server will be online, and your on-premises environment must have the ability to create and maintain a connection to your Office 365 subscription in the Cloud (and the Azure Active Directory instance that your subscription uses as its directory).
What doesn't change? Whether you're in a split-domain hybrid or using Skype for Business and Exchange server on-premises, all users must first authenticate on-premises . In a hybrid implementation of Modern Authentication, Lyncdiscovery and Autodiscovery point to your on-premises server.
If you need to know the specific Skype for Business topologies supported with MA, that's documented right here.
Check the Modern Authentication status of your on-premises environment
Because Modern Authentication changes the authorization server used when services leverage OAuth/S2S, you need to know if Modern Authentication is On or Off for your Skype for Business and Exchange environment. You can check the status on your Exchange or Skype for Business servers, on premises, by running the
Get-CSOAuthConfiguration command in PowerShell. If the command returns an empty 'OAuthServers' property, then Modern Authentication is disabled.
Do you meet Modern Authentication prerequisites?
Verify and check these items off your list before you continue:
Skype for Business specific
All servers must have May 2017 cumulative update (CU5) for Skype for Business Server 2015 or later
Exception - Survivability Branch Appliance (SBA) can be on the current version (based on Lync 2013)
Your SIP domain is added as a Federated domain in Office 365
All SFB Front Ends must have connections outbound to the internet, to Office 365 Authentication URLs (TCP 443) and well known certificate root CRLs (TCP 80) listed in Rows 56 and 125 of the 'Microsoft 365 Common and Office' section of Office 365 URLs and IP address ranges.
Skype for Business on-premises in a hybrid Office 365 environment
A Skype for Business Server 2019 deployment with all servers running Skype for Business Server 2019.
A Skype for Business Server 2015 deployment with all servers running Skype for Business Server 2015.
A deployment with a maximum of two different server versions as listed below:
- Skype for Business Server 2015 and Skype for Business Server 2019
All Skype for Business servers must have the latest cummulative updates installed, see Skype for Business Server updates to find and manage all available updates.
There is no Lync Server 2010 or 2013 in the hybrid environment.
Note If your Skype for Business front-end servers use a proxy server for Internet access, the proxy server IP and Port number used must be entered in the configuration section of the web.config file for each front end.
C:\Program Files\Skype for Business Server 2015\Web Components\Web ticket\int\web.config
C:\Program Files\Skype for Business Server 2015\Web Components\Web ticket\ext\web.config
<system.identityModel.services> <system.net> <defaultProxy> <proxy proxyaddress="https://192.168.100.60:8080" bypassonlocal="true" /> </defaultProxy> </system.net> </system.identityModel.services>
Be sure to subscribe to the RSS feed for Office 365 URLs and IP address ranges to stay current with the latest listings of required URLs.
Exchange Server specific
You're using either Exchange server 2013 CU19 and up, Exchange server 2016 CU8 and up, or Exchange Server 2019 CU1 and up.
There is no Exchange server 2010 in the environment.
SSL Offloading is not configured. SSL termination and re-encryption is supported.
In the event your environment utilizes a proxy server infrastructure to allow servers to connect to the Internet, be sure all Exchange servers have the proxy server defined in the InternetWebProxy property.
Exchange Server on-premises in a hybrid Office 365 environment
If you are using Exchange server 2013, At least one server must have the Mailbox and Client Access server roles installed. While it is possible to install the Mailbox and Client Access roles on separate servers, we strongly recommend that you install both roles on each server to provide additional reliability and improved performance.
If you are using Exchange server 2016 or later version, at least one server must have the Mailbox server role installed.
There is no Exchange server 2007 or 2010 in the Hybrid environment.
All Exchange servers must have the latest cummulative updates installed, see Upgrade Exchange to the latest Cumulative Updates to find and manage all available updates.
Exchange client and protocol requirements
- The following clients support modern authentication:
Clients Primary Protocol Notes Outlook 2013 and Outlook 2016 MAPI over HTTP MAPI over HTTP must be enabled within Exchange in order to leverage modern authentication with these clients (usually enabled or True for new installs of Exchange 2013 Service Pack 1 and above); for more information see How modern authentication works for Office 2013 and Office 2016 client apps.
Ensure you are running the minimum required build of Outlook; see Latest updates for versions of Outlook that use Windows Installer (MSI).
Outlook 2016 for Mac Exchange Web Services Outlook for iOS and Android See Using hybrid Modern Authentication with Outlook for iOS and Android for more information. Exchange ActiveSync clients (e.g., iOS11 Mail) Exchange ActiveSync For Exchange ActiveSync clients that support modern authentication, you must recreate the profile in order to switch from basic authentication to modern authentication.
If you use ADFS, you should have Windows 2012 R2 ADFS 3.0 and above for federation
Your identity configurations are any of the types supported by AAD Connect (such as password hash sync, pass-through authentication, on-premises STS supported by Office 365, et cetera.)
You have AAD Connect configured and functioning for user replication and sync.
You have verified that hybrid is configured using Exchange Classic Hybrid Topology mode between your on-premises and Office 365 environment. Official support statement for Exchange hybrid says you must have either current CU or current CU - 1.
Hybrid Modern Authentication is not supported with the Hybrid Agent.
Make sure both an on-premises test user, as well as a hybrid test user homed in Office 365, can login to the Skype for Business desktop client (if you want to use Modern Authentication with Skype) and Microsoft Outlook (if you want so use Modern Authentication with Exchange).
What else do I need to know before I begin?
All the scenarios for on-premises servers involve setting up Modern Authentication on-premises (in fact, for Skype for Business there is a list of Supported topologies) so that the server responsible for authentication and authorization is in the Microsoft Cloud (AAD's security token service, called 'evoSTS'), and updating Azure Active Directory (AAD) about the URLs or namespaces used by your on-premises installation of either Skype for Business or Exchange. Therefore, on-premises servers take on a Microsoft Cloud dependency. Taking this action could be considered configuring 'hybrid auth'.
This article links out to others that will help you choose supported Modern Authentication topologies (necessary only for Skype for Business), and how-to articles that outline the setup steps, or steps to disable Modern Authentication, for Exchange on-premises and Skype for Business on-premises. Favourite this page in your browser if you're going to need a home-base for using Modern Authentication in your server environment.
List of Modern Authentication URLs