Today, I am very happy to announce General Availability (GA) for Hybrid Modern Authentication (HMA) for Skype for Business and Exchange.  This is a major milestone in our Modern Authentication journey.

This will enable customers to use Modern Auth enabled security features such as Multi Factor Authentication (MFA), Cert Based Authentication (CBA),  AAD Conditional Access (CA) and Intune Mobile Application Management (MAM) for all their users, both those homed online as well as those homed onprem.


Here is a visual of the topology:

 HMA - EX and SfB onprem.png



This design requires you to use Azure Active Directory as the authorization server for your onprem SfB and onprem Exchange deployments (note the blue arrow from SfB onprem and Exchange onprem to AUTH in the cloud).


The prerequisites and instructions to enable HMA can be found here: https://aka.ms/ModernAuthOverview


Updated list of SfB MA Supported Topologies is here: Skype for Business topologies supported with Modern Authentication


Also, two of my colleagues have published their own excellent blogs on this topic.

Announcing Hybrid Modern Authentication for Exchange On-Premises

Hybrid Modern Authentication for Skype for Business





If I running hybrid exchange mode, do I need to enable both exchange on-prem and exchange online or just enable online MFA to support exchange online user is enough?


Hi John, 

To support MFA for exchange online users, just turning on MA in Exchange online is enough.  However, it means users may get multiple prompts when logging in.  We recommend you turn on MA on both Exchange onprem and Exchange online for the best user experience.

New Contributor

Is MFA supported when using EXO with SfBO and SfB On-Prem Hybrid? I do not see it specifically referenced, but I assume with would be the same as the above mentioned diagram just without the EXCH portion.



Yes, MA and O365 MFA is supported when using EXO with SfBO and SfB On-Prem Hybrid.  This is just a subset of the above diagram.  Your assumption is correct.