Skype client with modern auth keep asking for Exchange Credentials

%3CLINGO-SUB%20id%3D%22lingo-sub-118946%22%20slang%3D%22en-US%22%3ESkype%20client%20with%20modern%20auth%20keep%20asking%20for%20Exchange%20Credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-118946%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20we%20have%20a%20customer%20where%20Exchange%20and%20Skype%20for%20Business%20are%20both%20deployed%20as%20purely%20Online%20solutions.%20For%20both%20of%20them%2C%20we%20enabled%20modern%20authentication%20(ADAL).%20Clients%26nbsp%3Bhave%26nbsp%3BWindows%2010%20with%20Office%202016%20(ProPlus%20from%20Office%20365).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20works%20most%20of%20the%20time%20fine%20and%20without%20app%20passwords.%20But%20we%20have%20a%20network%20that%20is%20in%20Azure%20AD%20marked%20as%20the%20trusted%20network%20where%20MFA%20is%20not%20needed.%20When%20we%20switch%20the%20network%20connection%20from%20this%20to%20other%2C%20like%20to%20VPN%20or%20roam%20between%20LAN%20and%20Wi-Fi%20(but%20on%20same%20public%20address%20space)%2C%20Exchange%20in%20Skype%20client%20starts%20asking%20for%20the%20password.%20It%20does%20not%20trigger%20MFA%20password%2C%20but%20only%20app%20password%20will%20start%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20someone%20saw%20the%20same%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20229px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F22548i22FC6DACFC302D7C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22S4B_Credentials.png%22%20title%3D%22S4B_Credentials.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-118946%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDesktop%20Client%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESign-in%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-171071%22%20slang%3D%22en-US%22%3ERe%3A%20Skype%20client%20with%20modern%20auth%20keep%20asking%20for%20Exchange%20Credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171071%22%20slang%3D%22en-US%22%3ENope.%20%3A(%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3ES4B%20just%20sometimes%20says%20it%20requires%20Exchange%20credentials%20and%20do%20not%20allow%20sign-in%20completely.%20But%20current%20migration%20to%20Microsoft%20Teams%20solves%20this%20problem%20as%20a%20workaround.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%2C%20Office%202016%20on%20Windows%2010%20starts%20with%20Web%20Account%20Manager%20WAM%20and%20starts%20to%20%22deprecate%22%20ADAL%2C%20so%20maybe%20it%20will%20fix%20the%20problem%20in%20long%20term.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-171002%22%20slang%3D%22en-US%22%3ERe%3A%20Skype%20client%20with%20modern%20auth%20keep%20asking%20for%20Exchange%20Credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171002%22%20slang%3D%22en-US%22%3EDid%20you%20ever%20resolve%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-119324%22%20slang%3D%22en-US%22%3ERe%3A%20Skype%20client%20with%20modern%20auth%20keep%20asking%20for%20Exchange%20Credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119324%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20reply%2C%20but%20we%20have%20entered%20for%20MFA%20to%20the%20high%20level%20of%20IP%20address%20space%2C%20in%20which%20scope%20LAN%20and%20also%20Wi-Fi%20is%20contained.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20same%20will%20sometimes%20start%2C%20when%20the%20user%2C%20for%20example%2C%20call%20VPN%20outside%20the%20network.%20Outlook%20works%20fine%2C%20Word%20works%20fine%2C%20nothing%20will%20asking%20for%20MFA%20because%20the%20device%20is%20already%20provided%20MFA%20(turned%20on%20remembering%20devices%20with%20AAD%20joined).%20Skype%20client%20itself%20working%2C%20just%20asking%20for%20Exchange%20credentials.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-119002%22%20slang%3D%22en-US%22%3ERe%3A%20Skype%20client%20with%20modern%20auth%20keep%20asking%20for%20Exchange%20Credentials%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-119002%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20mentioned%20here%20in%20quite%20comprehensive%20manner%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERef%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23trusted-ips%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23trusted-ips%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20need%20to%20add%20Wifi%2FVPN%2FLAN%20IP%20ranges%20there.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

Hello, we have a customer where Exchange and Skype for Business are both deployed as purely Online solutions. For both of them, we enabled modern authentication (ADAL). Clients have Windows 10 with Office 2016 (ProPlus from Office 365).

 

It works most of the time fine and without app passwords. But we have a network that is in Azure AD marked as the trusted network where MFA is not needed. When we switch the network connection from this to other, like to VPN or roam between LAN and Wi-Fi (but on same public address space), Exchange in Skype client starts asking for the password. It does not trigger MFA password, but only app password will start work.

 

Does someone saw the same?

 

S4B_Credentials.png

4 Replies

It's mentioned here in quite comprehensive manner: 

 

Ref: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats...

 

You need to add Wifi/VPN/LAN IP ranges there. 

Thanks for the reply, but we have entered for MFA to the high level of IP address space, in which scope LAN and also Wi-Fi is contained.

The same will sometimes start, when the user, for example, call VPN outside the network. Outlook works fine, Word works fine, nothing will asking for MFA because the device is already provided MFA (turned on remembering devices with AAD joined). Skype client itself working, just asking for Exchange credentials.
Did you ever resolve this?
Nope. :(

S4B just sometimes says it requires Exchange credentials and do not allow sign-in completely. But current migration to Microsoft Teams solves this problem as a workaround.

Also, Office 2016 on Windows 10 starts with Web Account Manager WAM and starts to "deprecate" ADAL, so maybe it will fix the problem in long term.