Since the May 2017 cumulative update for Skype for Business, modern authentication has been available for Skype for Business on-premise. This blog post covers what hybrid modern authentication (HMA) is, why you should use it, what are the limitations and how to deploy it for a Skype for Business on-premise Hybrid environment with Azure AD. We will walk through step-by-step how to configure the on-premise servers and the Office365 tenant and look at how HMA affects Skype for Business certified IP Phones.
Much of the basics of what HMA is very well explained in this Microsoft article https://aka.ms/ModernAuthOverview. Here in this blog post I just want to summarize the key points. Firstly, HMA is an new authentication and authorization protocol that was first available on Office365 and now extended to Skype for Business hybrid split domain and Exchange hybrid environments. Modern Authentication is based on the open standard oAuth protocol and implemented in Microsoft software and services via ADAL. During the login process, Skype for Business clients will obtain Access and Refresh Oauth tokens from an Azure AD service known as evoSTS that on-premises Skype for Business and Exchange servers will accept and grant access. To obtain these tokens in HMA, the client must first be authenticated via an on-premise Active Directory with ADFS. Hence our environment is already configured with AADConnect and ADFS with Skype for Business on-premise hybrid split-domain. Once the tokens are issued, there is no need for the client to get authenticated again until the refresh token expires. The default expiry time for a refresh token is 90 days while an access token has a 1 hour validity. When access tokens expire the client will simply use its refresh token to renew access tokens.
Once HMA is configured, our environment can begin to leverage AAD security capabilities like two-factor authentication, or Intune Modern Application Management policies such as conditional access.However, its important to note that not all clients support all the features provided by HMA and Microsoft has documented the different features available to different clients in this website https://aka.ms/ModernAuthUpdate
There are four separate locations where modern authentication can be enabled. The first two are the Office365 workloads Exchange Online (EXO) and Skype for Business Online (SBFO) and two on-premise servers Skype for Busines (SFB) and Exchange (EXCH). Microsoft has documented the various supported HMA topologies in this article: https://technet.microsoft.com/en-us/library/mt803262.aspx However, the particular topology that we are using in our lab environment is somehow not included in the article, which is EXO with SFBO and SFB. So we will enable MA on EXO, SFBO and SFB; there is no Exchange on-premise. On-premise AD with ADFS will be our authentication server and AAD evoSTS will be our authorization server issuing tokens to clients. Below is the diagram of what this topology looks like:
Before beginning to configure for HMA, we need to prepare our environment with the necessary pre-requisites. Firstly, the version of Skype for Business on-premise must be May 2017 CU 5 cumulative update, build .281 or later. We can check this using the Get-CsServerPatchVersion cmdlet on our SFB server. As shown below, our server is already on the required versions: