Hybrid Modern Auth for SfB and Exchange goes GA!
Today, I am very happy to announce General Availability (GA) for Hybrid Modern Authentication (HMA) for Skype for Business and Exchange. This is a major milestone in our Modern Authentication journey. This will enable customers to use Modern Auth enabled security features such as Multi Factor Authentication (MFA), Cert Based Authentication (CBA), AAD Conditional Access (CA) and Intune Mobile Application Management (MAM) for all their users, both those homed online as well as those homed onprem. Here is a visual of the topology: This design requires you to use Azure Active Directory as the authorization server for your onprem SfB and onprem Exchange deployments (note the blue arrow from SfB onprem and Exchange onprem to AUTH in the cloud). The prerequisites and instructions to enable HMA can be found here: https://aka.ms/ModernAuthOverview Updated list of SfB MA Supported Topologies is here: Skype for Business topologies supported with Modern Authentication Also, two of my colleagues have published their own excellent blogs on this topic. Announcing Hybrid Modern Authentication for Exchange On-Premises Hybrid Modern Authentication for Skype for BusinessWindows Hello for Business 0x80090010 NTE_PERM
Hi all, I'm encountering an issue with Windows Hello for Business on the latest version of Windows (July 2025 update). The setup process fails during initialisation, and no biometric or PIN options are being provisioned for the user. Environment: Windows version: 11 24H2 Enterprise (latest update) Deployment mode: Hybrid Cloud Trust Hybrid joined devices Symptoms: Users are prompted to set up WHfB but the process fails at the last step with error 0x80090010 Users who already have WHfB authentication methods created can successfully login Event ID 311 & 303 in the User Device Registration logs Screenshots: Troubleshooting so far: Unjoined and rejoined to Entra ID Granted modify permissions on folder in which NGC container would be created Rolled back to June 2025 update (this worked) So it seems like this is caused or related to the latest Windows Update, which is rather unfortunate for us as we are just beginning to rollout WHfB for our organisation. I'm posting here to raise awareness of the issue, if there is a more appropriate place to post then please suggest.Upcoming changes to iOS/iPadOS Company Portal app deployment for Setup Assistant with modern auth
Learn more about plans to remove automatic deployment of the iOS/iPadOS Company Portal app as a required app for Automated Device Enrollment (ADE) Setup Assistant with modern authentication enrollment profiles.SfB Hybrid Modern Auth w/ EXO goes Public Preview
Last week at Microsoft Ignite, we announced that Modern Authentication for Skype for Business server has gone to Public Preview. This means that the following topologies are now supported in Public Preview. Note: the grayed out boxes mean they do not exist in the deployment. These configurations will enable customers to use Modern Auth enabled security features such as Multi Factor Authentication (MFA), Cert Based Authentication (CBA), Conditional Access (CA) and Mobile Application Management (MAM) for users who are homed onprem as well as those homed in the cloud. Both of these topologies require you to use Azure Active Directory as the authorization server for your onprem SfB deployment (note the blue arrow from SfB onprem to AUTH in the cloud). To see the full list of pre-requisites and to join “Hybrid Modern Authentication - w/ Exchange Online” Public Preview, please go to http://aka.ms/skypepreview .SfB Server Now Supports Blocking NTLM Externally
I am happy to announce that with the CU7 version of SFB Server 2015, we have added the ability to block external NTLM traffic. This, along with the use of Cert Based Authentication, will allow you to protect your SFB servers from external DOS attacks using username/passwords. Let me explain. SfB server allows the following protocols that all accept username/passwords – NTLM, Forms Based Auth and Modern Authentication. In order to combat the DOS attacks, you have to shut down all the external ways that allow username/password. With the new Get/Set-CsAuthConfig cmdlets in CU7, you can shut down NTLM and Forms Based Auth externally. Then, you configure your servers to only accept Certificate Based Auth externally. (NOTE: You need Modern Authentication to use CBA.) Now all the username/password doors are shut and your users use CBA to get in externally. Here is an article that explains the details: Turn off Legacy authentication methods internally and externally to your network.
Exclude Microsoft first party applications in Azure conditional access policy
We have app built on Microsoft Graph resource and we have a conditional access policy that targets all cloud apps. when users sign into this app using Chrome browser on iOS they get error and prompt to use Edge. We do not want users to change the browser and tried to exclude Microsoft Graph from CA policy using all options including API but fails with the below error. Policy contains invalid applications: unsupported firstpartyapplication. Is there a way to exclude Microsoft Graph from the policy?
Best setup for multiple machines
I have a live account for my email address as I have a surface and originally registered for an account to use for machine backups, browsing syncing etc. I also use onenote and wanted it syncing to a 365 onedrive account so I signed up for office 365 business basics so that I could sync onedrive and all of the associated attachments, audio records etc to it. I would love to use use the paid business account but I cant sign into the surface with the business account, only home accounts as I dont have pro. The next issue is that I use another laptop, android tablet and phone also signing into the business 365 account. These all used to sync fine but now, all other devices disconnect as the one you have signed into it connects. Not a major issue, you sign into the device you want to use, sync and then continue However i jump from device to device that often that it starts to grate on me that i cant just grab a device and sync. Is there any way I can register each device so that they are trusted and then more than one device can stay connected.
