Last week at Microsoft Ignite, we announced that Modern Authentication for Skype for Business server has gone to Public Preview. This means  that the following topologies are now supported in Public Preview.


HMA with EXO.pngHMA - EXO and SFBonprem.png   















Note: the grayed out boxes mean they do not exist in the deployment.


These configurations will enable customers to use Modern Auth enabled security features such as Multi Factor Authentication (MFA), Cert Based Authentication (CBA),  Conditional Access (CA) and Mobile Application Management (MAM) for users who are homed onprem as well as those homed in the cloud.


Both of these topologies require you to use Azure Active Directory as the authorization server for your onprem SfB deployment (note the blue arrow from SfB onprem to AUTH in the cloud).


To see the full list of pre-requisites and to join “Hybrid Modern Authentication - w/ Exchange Online” Public Preview, please go to http://aka.ms/skypepreview .  


New Contributor

We currently have Exchange setup in a hybrid scenario with users both online and on-prem. I'm reading over the requirements on the Skype Preview website, which say that Exchange on-prem is not currently supported.


I'm not 100% clear on what this means--does that mean that we could still participate in the preview and only use modern auth for those folks whose mailboxes are in the cloud?


If HMA is enabled, would EXO use modern auth and Exchange on-prem still use the same methods it does today?...or if HMA is enabled, would that completely break auth to Exchange on-prem?


We're wanting to give this a try so that we can use Intune MAM for Skype on-prem. From talking with folks are Ignite a couple weeks back, we were told that HMA is a requirement for us to be able to do this.




@Natasha Desai- Saw your presentation at Ignite and are super excited about this.  We signed up for Public Preview this week and have reached out to our rep for quick engagement as we are in desperate need of MA and MFA for our environment... we are EXO and SFBO with SFB 2015.

Senior Member

@Natasha Desai

Ignite presentation lead me to believe that federated identity is mandatory for this to work. However, Skype preview pre-requisites suggest that it can work without on-premises STS. Can you please clarify that customer with only syncronised identity can leverage AAD for authentication and it will be supported without on-premises STS.





@Eddie Burket - If you have Exchange hybrid, we would  like you to join our NDA TAP program for Hybrid Modern Auth (instead of the Public Preview one).  This programs supports turning on MA for Exchange onprem.


@Bhavesh Shah

Federated Identity is not a pre-req.  You can use any O365 Supported way to use AAD including Password Hash Sync.  The presenation focused on federated identity because it is a very common scenario.


@Amie McClendon

Happy to have you be part of our Public Preview :)

Senior Member

 @Natasha Desai Great Thanks for the clarification. That will get us over the line for a couple of engagements. We have signed up for this preview and can't wait to get it finalised. 


New Contributor

@Natasha Desai ...thanks. I didn't realize you'd done a presentation at Ignite on this. I attended a session on troubleshooting MA, but I somehow missed yours.


We would definitely interested in joining the NDA TAP--we do already have an NDA in place with you guys. What do we need to do to get signed up?


For anyone else who may have missed it, below is a link to Natasha's presentation. It was very helpful and answered a lot of questions!



Also, here are links for the other two Ignite sessions on MA:


@Eddie Burkett  To sign up for TAP, go to aka.ms/skypepreview and sigin as the NDA customer. You will then see an option for the Hybrid Modern Auth TAP that includes Exchange onpremises.