Lync.exe failing MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-1035288%22%20slang%3D%22en-US%22%3ERe%3A%20Lync.exe%20failing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1035288%22%20slang%3D%22en-US%22%3EThey%20might%20not%20be%20using%20S4B.%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20enabled%20modern%20auth%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1035355%22%20slang%3D%22en-US%22%3ERe%3A%20Lync.exe%20failing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1035355%22%20slang%3D%22en-US%22%3EYes%20we%20did%20have%20Lync%20but%20have%20since%20moved%20to%20S4B.%20the%20desktop%20guys%20say%20everyone%20has%20been%20updated%20but%20maybe%20that%E2%80%99s%20not%20the%20case.%3CBR%20%2F%3E%3CBR%20%2F%3ESimple%20question%2C%20does%20Lync%20support%20modern%20auth%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1035358%22%20slang%3D%22en-US%22%3ERe%3A%20Lync.exe%20failing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1035358%22%20slang%3D%22en-US%22%3ELast%20time%20I%20checked%2C%20the%20S4B%20client%20still%20presents%20itself%20as%20lync.exe%20in%20the%20AAD%20sign-in%20logs.%3CBR%20%2F%3E%3CBR%20%2F%3ES4B%20support%20modern%20auth.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1075426%22%20slang%3D%22en-US%22%3ERe%3A%20Lync.exe%20failing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075426%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3Bthat%20kind%20of%20makes%20sense.%26nbsp%3B%20Looking%20at%20the%20S4B%20in%20the%20task%20manager%20the%20running%20the%20process%20for%20S4B%20appears%20to%20be%20Lync.exe%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20you%20say%20S4B%20supports%20modern%20auth%20but%20when%20i%20look%20at%20AzureAD%20logs%20it%20fails%20MFA%20as%20non%20interactive.%26nbsp%3B%20The%20entry%20says%20%22%3CSPAN%3EUser%20did%20not%20pass%20the%20MFA%20challenge%20(non%20interactive).%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20based%20on%20this%20I%20would%20expect%20S4B%20to%20not%20work%20yet%20it%20does.%26nbsp%3B%20Kind%20of%20contradictory.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1075860%22%20slang%3D%22en-US%22%3ERe%3A%20Lync.exe%20failing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075860%22%20slang%3D%22en-US%22%3Ehave%20you%20enabled%20modern%20auth%20in%20S4B%3F%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.ronnipedersen.com%2F2017%2F07%2F11%2Fenable-modern-authentication-for-skype-for-business-online%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.ronnipedersen.com%2F2017%2F07%2F11%2Fenable-modern-authentication-for-skype-for-business-online%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1034928%22%20slang%3D%22en-US%22%3ELync.exe%20failing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1034928%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%20we%20implemented%20MFA%20and%20all%20the%20sudden%20i%20get%20loads%20of%20failed%20logins%20with%20Browser%20identified%20as%20Lync.exe%20with%20the%20failure%20%22User%20did%20not%20pass%20the%20MFA%20challenge%20(non%20interactive).%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClearly%20Lync%20is%20the%20old%20version%20of%20Skype%20for%20Business.%26nbsp%3B%20If%20this%20is%20failing%20wouldn't%20the%20person%20be%20having%20issues%20with%20their%20Lync%20not%20working%3F%26nbsp%3B%20I%20would%20have%20thought%20so%20but%20no%20one%20is%20complaining.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1034928%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1668335%22%20slang%3D%22en-US%22%3ERe%3A%20Lync.exe%20failing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1668335%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20also%20have%20legacy%20auth%20in%20the%20AAD%20sign-ins%20for%20lync.exe%20for%20one%20of%20our%20client%20ad%20for%20almost%20all%20their%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ES4b%20is%20on-prem%20(not%20sure%20if%20in%20hybrid%20mode%20yet)%20%2B%20Mailboxes%20in%20Exchange%20Online%20(hybrid%20mode%20with%20a%20few%20service%20mailboxes%20on%20the%20on-prem%20Exchange%20server)%20%2B%20ADFS%20for%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20enable%20MFA%20using%20Conditional%20access%20policies%20but%20we%20first%20need%20to%20get%20rid%20of%20these%20legacy%20authentications%20from%20lync.exe.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnybody%20can%20confirm%20that%20going%20through%20the%20following%20procedure%20will%20enable%20Modern%20Auth%20for%20lync.exe%20without%20impacting%20the%20services%3F%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fconfigure-skype-for-business-for-hybrid-modern-authentication%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Fconfigure-skype-for-business-for-hybrid-modern-authentication%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnything%20else%20to%20consider%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20you%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1676976%22%20slang%3D%22en-US%22%3ERe%3A%20Lync.exe%20failing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1676976%22%20slang%3D%22en-US%22%3EHave%20you%20checked%20this%20registry%20settings%3F%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fskypeforbusiness%2Ftroubleshoot%2Fhybrid-exchange-integration%2Fallowadalfornonlyncindependentoflync-setting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fskypeforbusiness%2Ftroubleshoot%2Fhybrid-exchange-integration%2Fallowadalfornonlyncindependentoflync-setting%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1680282%22%20slang%3D%22en-US%22%3ERe%3A%20Lync.exe%20failing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1680282%22%20slang%3D%22en-US%22%3EGreat!%20It%20seems%20to%20work!%20Really%20appreciate%20you%20input%20here%20Thijs%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Recently we implemented MFA and all the sudden i get loads of failed logins with Browser identified as Lync.exe with the failure "User did not pass the MFA challenge (non interactive)."

 

Clearly Lync is the old version of Skype for Business.  If this is failing wouldn't the person be having issues with their Lync not working?  I would have thought so but no one is complaining.

8 Replies
They might not be using S4B.

Have you enabled modern auth?
Highlighted
Yes we did have Lync but have since moved to S4B. the desktop guys say everyone has been updated but maybe that’s not the case.

Simple question, does Lync support modern auth?
Highlighted
Last time I checked, the S4B client still presents itself as lync.exe in the AAD sign-in logs.

S4B support modern auth.
Highlighted

@Thijs Lecomte that kind of makes sense.  Looking at the S4B in the task manager the running the process for S4B appears to be Lync.exe

 

However you say S4B supports modern auth but when i look at AzureAD logs it fails MFA as non interactive.  The entry says "User did not pass the MFA challenge (non interactive)."

 

So based on this I would expect S4B to not work yet it does.  Kind of contradictory.

Highlighted
Highlighted

Hi

 

We also have legacy auth in the AAD sign-ins for lync.exe for one of our client ad for almost all their users.

 

S4b is on-prem (not sure if in hybrid mode yet) + Mailboxes in Exchange Online (hybrid mode with a few service mailboxes on the on-prem Exchange server) + ADFS for authentication.

 

We want to enable MFA using Conditional access policies but we first need to get rid of these legacy authentications from lync.exe.

 

Anybody can confirm that going through the following procedure will enable Modern Auth for lync.exe without impacting the services?
https://docs.microsoft.com/en-us/microsoft-365/enterprise/configure-skype-for-business-for-hybrid-mo...

 

Anything else to consider?

 

Thank you for you help.

 

Highlighted
Highlighted
Great! It seems to work! Really appreciate you input here Thijs :)