Hybrid Modern Authentication for Skype for Business

Hello Balu N Ilag

Thanks for the feedback. Answers to your questions:

1. IS ADFS require for HMA? I have SFB On-prem and Exchange Online and all users sync to AAD, do I need ADFS? No you do not need ADFS. You can use any supported authentication method, like Azure AD connect with Password Sync. 

2. How do I test HMA with few users? because when we configure EXT and INT web services in O365 tenant all pool users will go redirect to ADD. If you don't have a test environment, there is no way really to test. You are correct that once you enable Oauth on SfB it will impact all users. The biggest negative impact would be if the clients themselves can't connect to our services for authentication which would cause authentication failures. If you confirm beforehand that all clients can connect to login.windows.net and login.microsoftonline.com, then that would help mitigate any out right failures to authenticate. Ideally you will want to cut over during a change management period, but failing that be prepared to revert back. Fallback to previous authentication method will occur as soon as replication completes in your configuration after issuing Set-CsOauthConfiguration cmdlet to revert back to previous setting. 

Typically, unless you've made other changes to your SfB configuration on premise, users will not be forced to reauthenticate until their SfB client certificate expires, so you wouldn't have all users attempting auth on cutover.