Blog Post

Skype for Business Blog
2 MIN READ

Modern Authentication for the Skype for Business Online Windows PowerShell Module

Thomas Binder's avatar
Thomas Binder
Icon for Microsoft rankMicrosoft
Apr 28, 2017

Modern Authentication is an authentication mechanism replacing NTLM or Kerberos and allows to enable scenarios like multi-factor authentication.


In the past, you couldn’t leverage Modern Authentication if you wanted to connect as an administrator via remote PowerShell to manage Skype for Business Online. This meant that you had to use an administrator account that did not enforce Modern Authentication.


For administrators to benefit from the additional security that Modern Authentication provides, we updated the Skype for Business Online Windows PowerShell Module. Note: You must have version 7.0.1045.0 or higher (link is at the end of this article).


In addition, to use multi-factor authentication, you can no longer provide a PSCredential object to New-CsOnlineSession. New-CsOnlineSession will prompt for credentials without a PSCredential object, so you will always get a pop-up to provide your credentials. The credentials can be used for up to 8 hours, then you must re-authenticate after 8 hours.


Examples of how to use the new connector with a modern authentication enabled tenant:       

 

New-CsOnlineSession user@domain.com

Prompts credentials of the specified user, using multi-factor authentication enabled for that user.

New-CsOnlineSession

Prompts for admin UPN, then prompt for credentials for that user, using multi-factor authentication if enabled.

New-CsOnlineSession <PSCredential>

Not valid if multi-factor authentication is enabled for the user. Included so that existing scripts for admins using username and password only, will continue to work.

 

Deployment considerations
There are a few known issues we want to point out:

  • Session expiration: Sessions expire after 8 hours. When they do, a pop-up asks you for credentials, but this but this pop-up will not accept any credential you can provide (as it is expecting an OAuth token). A way how to remove the existing session is:
    $SkypeSession = Get-PSSession
    Remove-PSSession $SkypeSession
    It is also important to keep the session expiration in mind if you plan to run scripts that might run longer than 8 hours.
  • Installation on unpatched Windows Server 2012 R2: Installation of the Skype for Business Online Windows PowerShell Module might fail if you are running it on an unpatched Windows Server 2012 R2. The reason is that it is using an incompatible version of vcredist. We always recommend to keep all systems fully patched, this will also resolve this issue.
  • Managing Cloud Connector Edition: A tenant global administrator account is required for Cloud Connector, to add or remove appliances, enable or disable automatic OS updates, and enable or disable automatic binary updates. While this account can be enabled for Modern Authentication it must not be enabled for multi-factor authentication - otherwise managing Cloud Connector Edition will fail.

Call to action:

  1. Learn more about Modern Authentication our wiki: Skype for Business Online: Enable your tenant for modern authentication.
  2. Download the latest Skype for Business Online Windows PowerShell Module.
  3. Enable your tenant and the administrators for remote PowerShell.
  4. Questions or comments? Discuss with us in the SOF Community.
Updated Apr 28, 2017
Version 2.0
  • Dilip Sasikumar's avatar
    Dilip Sasikumar
    Copper Contributor

    Sorry if i understood the session timeout incorrectly. After every 8 hours we should remove the csonline session and reestablish correct?