Forum Discussion
Conditional policies in Azure AD vs. Intune
I have not found any pitfalls to enabling modern authentication for EXO or Skype for business.
In my experience, it may take a few days before the setting will take effect for the SFB whereas there doesn't seem to be much delay for it to begin working in EXO.
One thing you may run into is your Global Admins may struggle to get remote powershell to work after enabling MFA on their accounts. To solve this, download the latest powershell modules for SFB and Exchange.
Skype Powershell Module Download
http://go.microsoft.com/fwlink/?LinkId=294688
New Exchange PowerShell Module that supports MFA
https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx
The conditional access for Intune is merging into the Azure AD Premium conditional access in the Azure portal (http://portal.azure.com).
If you have a device enrolled in Intune, conditional access in Azure AD can leverage that to check compliance.
I have not found any pitfalls to enabling modern authentication for EXO or Skype for business.
In my experience, it may take a few days before the setting will take effect for the SFB whereas there doesn't seem to be much delay for it to begin working in EXO.
One thing you may run into is your Global Admins may struggle to get remote powershell to work after enabling MFA on their accounts. To solve this, download the latest powershell modules for SFB and Exchange.
Skype Powershell Module Download
http://go.microsoft.com/fwlink/?LinkId=294688
New Exchange PowerShell Module that supports MFA
https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx
The conditional access for Intune is merging into the Azure AD Premium conditional access in the Azure portal (http://portal.azure.com).
If you have a device enrolled in Intune, conditional access in Azure AD can leverage that to check compliance.
Joe Stocker and there is no ADFS requirement for any of this to work correct?
- In general you are correct. The list of reasons for using ADFS is getting shorter and shorter. The need for ADFS is typically driven by other requirements
Thanks Dean_Gross. We want to use the Conditional Policies but just use password sync and not ADFS. I just wanted to triple check that turning on Modern Auth which seems to be required for the conditional policies to work was not going to hose any of my users that are still on 2013 apps.
Robert,
Since you mentioned you have users on Office 2013, you will need to roll out two registry keys as described here:
This is not required for Office 2016, as it supports modern authentication by default.
Note: If you do not roll out these registry keys, but you run the two powershell commands in your tenant for Exchange and Skype to support MFA, it does no harm. Just keep in mind the following sequence:
- enable Modern Auth (MFA) at the tenant level by running the two powershell commands (one for Skype and one for Exchange
- Roll out registry keys for Office 2013
- Enable users for MFA
So as you can see, until you enable a user for MFA, there is no impact to the users. Prior to enabling a user for MFA, just be sure to deploy the reg keys to them.
Robert Woods Moreover ADFS and EM+S features are in the same pace. And to manage ADFS and all its proxy servers is a tough job. So EM+S is a cloud platform mainly handled by Microsoft and the best Practice is to remove ADFS as it conflicts in many places like with EM+S features as Azure AD Premium (Conditional Access policy)
