Lately a lot of customers have been asking if we support Modern Auth for the following topology where SfB and Exchange are onprem (but are not hybrid). The answer is YES! This topology allow you to use features like O365 Multi Factor Auth (MFA) and Intune MAM with your users who are homed onprem.
The following is a high level explanation of the steps needed to enable Modern Auth for Skype for Business onpremises with AAD. For greater details, you can find them in Carolyn's blog post here. Essentially, these are the first set of steps you would need to do to set up SfB hybrid, but it is not all the steps required.
Note: If you only enable MA for one of the servers (either Exchange or SfB), but not both, your users may see multiple authentication prompts. We recommend you enable MA for both servers to get the best end user experience.
I am going to assume we start with a completely onprem deployment. So, typically, you would only have SfB onprem, Exchange onprem and AD onprem.
To enable Modern Auth on SfB onprem with AAD:
To enable Modern Auth for Exchange on-premises with AAD, you need to follow all the steps described here. Essentially, you will set up Exchange Hybrid and enable HMA but you don’t have to move any mailboxes to Exchange online.
|
Blog Post
Modern Auth for SfB OnPrem with AAD
- Chad PhillipsCopper Contributor
How about onprem sfb using exchange online?
- Natasha DesaiMicrosoft
Chad Phillips - Yes, that topo (EXO and SfB onprem) is supported for MA. Turn on MA for EXO, then use the instructions above to turn on MA on SfB onprem.
- Chad PhillipsCopper Contributor
Any issues to note with turning on MA for onprem skype? (thinking vvx deskphones using PIN Auth, cte phones, skype srs, skype mobile, sfb DECT phones, etc...)
- Johan van der SteltCopper Contributor
Hi Natasha,
How about Onprem Resource Forest model? sfb runs in forest A en users are homed in forest B. For authentication you need a Forest Trust. Do we still need to configure the Forest trust when using Modern Auth for SfB OnPrem with AAD?
- Natasha DesaiMicrosoft
Chad,
In general, the thing to be aware of is that in order for MA to be used both the client and the server needs to have it turned on. Here is a list of clients that do NOT support MA and therefore, will not be able use MA features. (This is true regardless of if the server is online or onprem).
The following Skype for Business clients do NOT support MA:
- Skype for Business Web Chat experience hosted in Outlook Web Access
- Skype Meeting App
- Room Systems
- Non-3PIP IPPhones
- LWA
- WebScheduler
- Lync for Mac
- Natasha DesaiMicrosoft
Johan,Yes, you still need to configure the forest trust between the user and resource forest.
- BikeTechBrass Contributor
Ok, so I have EXO and SfBO and I use MFA. The only way I can get SfB working on any Mobile device is to use the one-time app password. For instance iPhone latest IOS and vers 6.20.1.1 of SfB requires the one time app password.
Is this normal behavior? User do not know their one-time app password.
Thanks
- Natasha DesaiMicrosoft
John,
No, this is not normal behavior. Please open a case with our Support organization and make sure to include a fiddler trace. If you are using on-premises ADFS, you will need to exclude the URL that is doing a decrypted HTTPS trace.
https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForiOS
- Petri-XBronze Contributor
I corporations start planning this, then the first question would be, can this be piloted? And small group of users be covered by this, while others are still old process.
Next question is, could you clarify your statement: "All SfB Front Ends must have outbound access to the internet" a bit? It is quite normal that on-premise systems are behind multiple firewalls and the only option to go out are the proxies. How we could show to the Front Ends to the correct route to internet? Also, when the proxy is the only gateway, that makes external name resolution to less important as no direct connections are allowed. For your background, I have used netsh winhttp proxy today, but at least "LS Storage Service" does not fully respect that.
- IAM_ConsultantCopper Contributor
Hey thanks for such a nice article. I have one question.Is it possible to configure Modern authentication using any external IDP or federation server sitting on premise without using Azure AD(Cloud). We have vendors like Ping, IBM which supports federation server+MFA capability and client looking for only on Premise solution. Would be great if you can share your thoughts on this please.