Removing or disabling Hybrid Modern Authentication from Skype for Business and Exchange

If you've enabled Hybrid Modern Authentication (HMA) only to find it's unsuitable for your current environment, you can disable HMA. This article explains how.

Who is this article for?

If you've enabled Modern Authentication in Skype for Business Online or On-premises, and/or Exchange Online or On-premises and found you need to disable HMA, these steps are for you.

Important

See the 'Skype for Business topologies supported with Modern Authentication' article if you're in Skype for Business Online or On-premises, have a mixed-topology HMA, and need to look at supported topologies before you begin.

How to disable Hybrid Modern Authentication (Exchange)

  1. Exchange On-premises: Open the Exchange Management Shell and run the following commands:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $false
Set-AuthServer -Identity evoSTS -IsDefaultAuthorizationEndpoint $false
  1. Exchange Online: Connect to Exchange Online with Remote PowerShell. Run the following command to turn your OAuth2ClientProfileEnabled flag to 'false':
Set-OrganizationConfig -OAuth2ClientProfileEnabled:$false

How to disable Hybrid Modern Authentication (Skype for Business)

  1. Skype for Business On-premises: Run the following commands in Skype for Business Management Shell:
Set-CsOAuthConfiguration -ClientAuthorizationOAuthServerIdentity ""
  1. Skype for Business Online: Connect to Skype for Business Online with Remote PowerShell. Run the following command to disable Modern Authentication:
Set-CsOAuthConfiguration -ClientAdalAuthOverride Disallowed

Link back to the Modern Authentication overview .