SfB Server Now Supports Blocking NTLM Externally
I am happy to announce that with the CU7 version of SFB Server 2015, we have added the ability to block external NTLM traffic. This, along with the use of Cert Based Authentication, will allow you to protect your SFB servers from external DOS attacks using username/passwords. Let me explain. SfB server allows the following protocols that all accept username/passwords – NTLM, Forms Based Auth and Modern Authentication. In order to combat the DOS attacks, you have to shut down all the external ways that allow username/password. With the new Get/Set-CsAuthConfig cmdlets in CU7, you can shut down NTLM and Forms Based Auth externally. Then, you configure your servers to only accept Certificate Based Auth externally. (NOTE: You need Modern Authentication to use CBA.) Now all the username/password doors are shut and your users use CBA to get in externally. Here is an article that explains the details: Turn off Legacy authentication methods internally and externally to your network.Hybrid Modern Auth for SfB and Exchange goes GA!
Today, I am very happy to announce General Availability (GA) for Hybrid Modern Authentication (HMA) for Skype for Business and Exchange. This is a major milestone in our Modern Authentication journey. This will enable customers to use Modern Auth enabled security features such as Multi Factor Authentication (MFA), Cert Based Authentication (CBA), AAD Conditional Access (CA) and Intune Mobile Application Management (MAM) for all their users, both those homed online as well as those homed onprem. Here is a visual of the topology: This design requires you to use Azure Active Directory as the authorization server for your onprem SfB and onprem Exchange deployments (note the blue arrow from SfB onprem and Exchange onprem to AUTH in the cloud). The prerequisites and instructions to enable HMA can be found here: https://aka.ms/ModernAuthOverview Updated list of SfB MA Supported Topologies is here: Skype for Business topologies supported with Modern Authentication Also, two of my colleagues have published their own excellent blogs on this topic. Announcing Hybrid Modern Authentication for Exchange On-Premises Hybrid Modern Authentication for Skype for BusinessSfB Hybrid Modern Auth w/ EXO goes Public Preview
Last week at Microsoft Ignite, we announced that Modern Authentication for Skype for Business server has gone to Public Preview. This means that the following topologies are now supported in Public Preview. Note: the grayed out boxes mean they do not exist in the deployment. These configurations will enable customers to use Modern Auth enabled security features such as Multi Factor Authentication (MFA), Cert Based Authentication (CBA), Conditional Access (CA) and Mobile Application Management (MAM) for users who are homed onprem as well as those homed in the cloud. Both of these topologies require you to use Azure Active Directory as the authorization server for your onprem SfB deployment (note the blue arrow from SfB onprem to AUTH in the cloud). To see the full list of pre-requisites and to join “Hybrid Modern Authentication - w/ Exchange Online” Public Preview, please go to http://aka.ms/skypepreview .
SFBO hybrid with MA and Azure MFA issue
I am having issues enabling MFA for our SFBO users. Once Azure MFA is enabled, we cannot sign into SFBO on our mobile devices or laptops unless we are on our trusted network. We are currently running SFBO in Hybrid mode because our voice service is 3rd party hosted and Modern Authentictaion is enabled. I understand that there is a technet article that states this is not supported yet, but I created a conditional policy that would not require MFA on trusted or compliant devices. Even though this policy is in place, it still does not work. Any ideas
