Blog Post

Skype for Business Blog
1 MIN READ

SfB Hybrid Modern Auth w/ EXO goes Public Preview

Natasha Desai's avatar
Natasha Desai
Icon for Microsoft rankMicrosoft
Oct 06, 2017

Last week at Microsoft Ignite, we announced that Modern Authentication for Skype for Business server has gone to Public Preview. This means  that the following topologies are now supported in Public Preview.

 

   

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Note: the grayed out boxes mean they do not exist in the deployment.

 

These configurations will enable customers to use Modern Auth enabled security features such as Multi Factor Authentication (MFA), Cert Based Authentication (CBA),  Conditional Access (CA) and Mobile Application Management (MAM) for users who are homed onprem as well as those homed in the cloud.

 

Both of these topologies require you to use Azure Active Directory as the authorization server for your onprem SfB deployment (note the blue arrow from SfB onprem to AUTH in the cloud).

 

To see the full list of pre-requisites and to join “Hybrid Modern Authentication - w/ Exchange Online” Public Preview, please go to http://aka.ms/skypepreview .  

 

Updated Oct 06, 2017
Version 1.0
  • @Eddie Burket - If you have Exchange hybrid, we would  like you to join our NDA TAP program for Hybrid Modern Auth (instead of the Public Preview one).  This programs supports turning on MA for Exchange onprem.

  • Bhavesh Shah

    Federated Identity is not a pre-req.  You can use any O365 Supported way to use AAD including Password Hash Sync.  The presenation focused on federated identity because it is a very common scenario.

  • Eddie Burkett's avatar
    Eddie Burkett
    Copper Contributor

    We currently have Exchange setup in a hybrid scenario with users both online and on-prem. I'm reading over the requirements on the Skype Preview website, which say that Exchange on-prem is not currently supported.

     

    I'm not 100% clear on what this means--does that mean that we could still participate in the preview and only use modern auth for those folks whose mailboxes are in the cloud?

     

    If HMA is enabled, would EXO use modern auth and Exchange on-prem still use the same methods it does today?...or if HMA is enabled, would that completely break auth to Exchange on-prem?

     

    We're wanting to give this a try so that we can use Intune MAM for Skype on-prem. From talking with folks are Ignite a couple weeks back, we were told that HMA is a requirement for us to be able to do this.

     

    Thanks.

  • Natasha Desai- Saw your presentation at Ignite and are super excited about this.  We signed up for Public Preview this week and have reached out to our rep for quick engagement as we are in desperate need of MA and MFA for our environment... we are EXO and SFBO with SFB 2015.

  • Bhavesh Shah's avatar
    Bhavesh Shah
    Copper Contributor

    Natasha Desai

    Ignite presentation lead me to believe that federated identity is mandatory for this to work. However, Skype preview pre-requisites suggest that it can work without on-premises STS. Can you please clarify that customer with only syncronised identity can leverage AAD for authentication and it will be supported without on-premises STS.

     

    Thanks,

     

  • Bhavesh Shah's avatar
    Bhavesh Shah
    Copper Contributor

     Natasha Desai Great Thanks for the clarification. That will get us over the line for a couple of engagements. We have signed up for this preview and can't wait to get it finalised. 

    Cheers, 

  • Eddie Burkett's avatar
    Eddie Burkett
    Copper Contributor

    Natasha Desai ...thanks. I didn't realize you'd done a presentation at Ignite on this. I attended a session on troubleshooting MA, but I somehow missed yours.

     

    We would definitely interested in joining the NDA TAP--we do already have an NDA in place with you guys. What do we need to do to get signed up?

     

    For anyone else who may have missed it, below is a link to Natasha's presentation. It was very helpful and answered a lot of questions!

    https://www.youtube.com/watch?v=BTNXv-4FjX4

     

    Also, here are links for the other two Ignite sessions on MA:

  • Eddie Burkett  To sign up for TAP, go to aka.ms/skypepreview and sigin as the NDA customer. You will then see an option for the Hybrid Modern Auth TAP that includes Exchange onpremises.