Skype iOS client and MFA Supportability

Steel Contributor

Problem: Skype for Business for iOS mobile client cannot sign into Skype for Business *Online* after enabling MFA. 

ADAL was enabled 2 days ago (1/17/17) in the Office 365 tenant

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

( I also enabled ADAL for Exchange Online with this command:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true)

 

Reference 1: https://support.office.com/en-us/article/Enable-Exchange-Online-for-modern-authentication-58018196-f...

Reference 2: https://aka.ms/SkypeModernAuth

 

The work-around is to use MFA App Passwords, however, we shouldn't have to do that since the documentation states that the Skype for Business PC client is supposed to work because according to these two articles:

https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/ 

And th KB 3126604 

 

17 Replies

Yes, that is the same article that I quoted at the bottom of my question but I referred to it as KB 3126604 (but it links to the same place your URL points to).

According to that article, The iOS mobile client for Skype for Business should be compatible with MFA but instead it requires me to put in an App Password.

@Joe Stocker, I had the same problem as you after enabling MFA on my user and enabling Modern Authentication on SfB Online + Exchange Online (IOS app right now 6.11.1.310). I agree with you, according to the KB3126604 , it's quite clear that if you're a pure online Office 365 tenant, MFA should work on IOS and Android.

 

For me, the problem was that I had played around with the app settings. On the logon screen, check Advanced Options before signing in -  I had a different old User Name entered there at the top.

Well that was a good hint. I didn't have anything special in Advanced Settings configured, but I just tried deleting the Skype for Business iOS app and redownloading it from the AppStore and what do know ... I wasn't able to login in either before (with MFA) and now suddenly I am!

Excellent! :)
The username field in Advanced Options was already empty for me, so that did not help me.
that fixed it for me!
So it seems to be a bit of a bug because many organizations have deployed SFB Mobile first, then MFA later. It seems we have both reproduced the issue where after enabling MFA, you have to remove the app and re-download it before it will work.
I confirmed this was the case by logging into a separate phone that had never had the SFB Mobile app on it, and it worked correctly the first time with MFA.
Deleting the app did the trick for me as well. I recently moved my mailbox to exchange online and switched mfa on. Afterwards the ios app complained about my exchange settings even though I did not had anything set under advanced.
well, seems I celebrated to early. :) While Skype is working now, I still get pestered about that my Exchange settings are not correct and I am clueless about what to enter in advanced. Most likely the issue arrises from the fact, that we have a hybrid setting and all the DNS entries are still pointing to the on premise Exchange server and the Skype App is unable to work with the redirect (it should get right?) to the Exchange Online service for my mailbox.

Anyone has an idea what I have to enter in the Exchange Settings in Skype to get this working? (I have MFA enabled in both skype and exchange online btw already).

You may need to generate an Application Password and use that for the Exchange prompt you get in Skype. (https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/multi-factor-authenticat...)

For me, it took 3 to 4 days after running this command before I stopped getting that Exchange prompt in Skype:

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

For more info see

 https://aka.ms/SkypeModernAuth

 

In summary, It seems that after you enable MDAL in the Skype Powershell, that it does not take effect immediately.I have found a few forums that indicated that they also experienced several days of delay (reference: https://www.reddit.com/r/Office365/comments/4v5k39/adal_auth_with_azure_mfa_creating_a_new_outlook/)

 

 

Did you try deleting and re-installing the App again and try? As Ivan pointed out above, that was something he had to do even though is advanced user name field was empty.

The strange thing is, that I do NOT get another prompt to enter credentials for Exchange. Just a short info slider from the top stating that my exchange settings are not correct and that I have to change them. But with you mentioning that it might take a few days I will just be patient and sit out the weekend and try again! :)

 

the settings seems already be active, as I just had to use an Application Password to get into a powershell session with skype online to check the CsOAuthConfiguration (btw, isnt there a new command for that credential save in powershell to use MFA as well? MFA works with Connect-EXOPSSession for Exchange Online but not with Get-Credentials I just used for Skype it seems).

 

And to reiterate again, my problem doesnt seem to be MFA, but the inability of the Skype iOS App to understand where my Exchange mailbox is (its no longer on premise, it moved to Exchange Online, but all the DNS settings still point to on premise as best practise suggests).

 

and maybe I just make up a new thread, as the OPs subject is misleading to my problem I just realised. :)

 

That issue (EXO prompting for password) should go away with the latest IOS Preview client 6.13.0.102. Even after following the correct steps with respect to MFA, this was the only build that didn't require an actual app password to connect to EXO.

is that Preview available in TestFlight or how can we access that?

Yes - Preview I posted about is currently avaiable in TestFlight.

As a further update, build 6.14.0.224 (released April 17th) seems to have fully resolved all MFA issues experience to date.