Lately a lot of customers have been asking if we support Modern Auth for the following topology where SfB and Exchange are onprem (but are not hybrid).  The answer is YES!   This topology allow you to use features like O365 Multi Factor Auth (MFA) and Intune MAM with your users who are homed onprem.


 MA for SfB Onprem with AAD.png

NOTE: Gray components indicate they do not exist in the topology.   So, this topology only has Exchange onprem and Skype for Business onprem.



The following is a high level explanation of the steps needed to enable Modern Auth for Skype for Business onpremises with AAD. For greater details, you can find them in Carolyn's blog post here.  Essentially, these are the first set of steps you would need to do to set up SfB hybrid, but it is not all the steps required. 


Note: If you only enable MA for one of the servers (either Exchange or SfB), but not both, your users may see multiple authentication prompts.  We recommend you enable MA for both servers to get the best end user experience.


I am going to assume we start with a completely onprem deployment.  So, typically, you would only have SfB onprem, Exchange onprem and AD onprem.


To enable Modern Auth on SfB onprem with AAD:

  1. Ensure you meet the basic pre-reqs for SfB HMA. Namely:
    1. All SfB servers running 2015 CU5 or greater
    2. All SfB Front Ends must have outbound access to the internet.


  1. Get an O365 tenant.
  2. Add your SIP domain as a Federated domain in Office 365.
    1. Do this is in the O365 admin portal àSetup àDomain section.
    2. Do NOT make any DNS changes as the wizard will ask you to do.  All DNS records should still point to OnPrem for SFB to work.


  1. Sync your users from onprem AD to AAD using AADConnect.  There are many options here and you can use any option that is officially supported by the AAD team (Password Hash Sync, Pass Through Authentication, Federation with AD onprem, Federation with a 3rd party STS). 
    1. You MUST sync the SFB attributes to AAD.  You can see a list of these attributes here
    2. If you use the AADConnect wizard, you get these automatically for single forest deployments.  If you have a resource forest topology, use the account/resource forest topo here. It joins on ObjectSID and msExchangeMasterAccountSID attributes.
  2. Assign one user in O365 an SfB license.
    1. Yes, you will have to buy this one license.
    2. This user can be the tenant admin user that gets created by default when you create a tenant, or it can be a new user you create. This does NOT mean you have to move any users from SfB onprem to SfBonline.  And this user doesn't really have to use the service.  Why do you have to do this step? Well, if you don’t, then you cannot do step #4, which is critical. It turns out doing this step hooks up some plumbing to allow you to do step #4.
  3. Follow the steps in the "Turn on Hybrid Modern Authentication for Skype for Business on-premises" section of this article.  The steps can be boiled down to the following:
    1. Tell AAD about onprem webservice urls.
      1. This is a very important step. When HMA was in TAP, most (if not all) issues encountered by customers were due to a mistake made in this step.
    2. Turn on MA for SfB onprem server.



To enable Modern Auth for Exchange on-premises with AAD, you need to follow all the steps described here.  Essentially, you will set up Exchange Hybrid and enable HMA but you don’t have to move any mailboxes to Exchange online.


Regular Visitor

How about onprem sfb using exchange online?


@Chad Phillips - Yes, that topo (EXO and SfB onprem) is supported for MA. Turn on MA for EXO, then use the instructions above to turn on MA on SfB onprem. 

Regular Visitor

Any issues to note with turning on MA for onprem skype?  (thinking vvx deskphones using PIN Auth, cte phones, skype srs, skype mobile, sfb DECT phones, etc...)

Frequent Visitor

Hi Natasha,


How about Onprem Resource Forest model? sfb runs in forest A en users are homed in forest B. For authentication you need a Forest Trust. Do we still need to configure the Forest trust when using Modern Auth for SfB OnPrem with AAD?



In general, the thing to be aware of is that in order for MA to be used both the client and the server needs to have it turned on.  Here is a list of clients that do NOT support MA and therefore, will not be able use MA features.  (This is true regardless of if the server is online or onprem).


The following Skype for Business clients do NOT support MA:

  • Skype for Business Web Chat experience hosted in Outlook Web Access
  • Skype Meeting App
  • Room Systems
  • Non-3PIP IPPhones
  • LWA
  • WebScheduler
  • Lync for Mac




Yes, you still need to configure the forest trust between the user and resource forest.  

Occasional Contributor

Ok, so I have EXO and SfBO and I use MFA.  The only way I can get SfB working on any Mobile device is to use the one-time app password.  For instance iPhone latest IOS and vers of SfB requires the one time app password. 


Is this normal behavior?  User do not know their one-time app password.





No, this is not normal behavior.  Please open a case with our Support organization and make sure to include a fiddler trace.  If you are using on-premises ADFS, you will need to exclude the URL that is doing a decrypted HTTPS trace.  



I corporations start planning this, then the first question would be, can this be piloted? And small group of users be covered by this, while others are still old process.

Next question is, could you clarify your statement: "All SfB Front Ends must have outbound access to the internet" a bit?  It is quite normal that on-premise systems are behind multiple firewalls and the only option to go out are the proxies. How we could show to the Front Ends to the correct route to internet? Also, when the proxy is the only gateway, that makes external name resolution to less important as no direct connections are allowed. For your background, I have used netsh winhttp proxy today, but at least "LS Storage Service" does not fully respect that.