 | Since the May 2017 cumulative update for Skype for Business, modern authentication has been available for Skype for Business on-premise. This blog post covers what hybrid modern authentication (HMA) is, why you should use it, what are the limitations and how to deploy it for a Skype for Business on-premise Hybrid environment with Azure AD. We will walk through step-by-step how to configure the on-premise servers and the Office365 tenant and look at how HMA affects Skype for Business certified IP Phones. |
What is Hybrid Modern Authentication (HMA) and why should you use it?
Much of the basics of what HMA is very well explained in this Microsoft article https://aka.ms/ModernAuthOverview. Here in this blog post I just want to summarize the key points. Firstly, HMA is an new authentication and authorization protocol that was first available on Office365 and now extended to Skype for Business hybrid split domain and Exchange hybrid environments. Modern Authentication is based on the open standard oAuth protocol and implemented in Microsoft software and services via ADAL. During the login process, Skype for Business clients will obtain Access and Refresh Oauth tokens from an Azure AD service known as evoSTS that on-premises Skype for Business and Exchange servers will accept and grant access. To obtain these tokens in HMA, the client must first be authenticated via an on-premise Active Directory with ADFS. Hence our environment is already configured with AADConnect and ADFS with Skype for Business on-premise hybrid split-domain. Once the tokens are issued, there is no need for the client to get authenticated again until the refresh token expires. The default expiry time for a refresh token is 90 days while an access token has a 1 hour validity. When access tokens expire the client will simply use its refresh token to renew access tokens.
Once HMA is configured, our environment can begin to leverage AAD security capabilities like two-factor authentication, or Intune Modern Application Management policies such as conditional access.However, its important to note that not all clients support all the features provided by HMA and Microsoft has documented the different features available to different clients in this website https://aka.ms/ModernAuthUpdate
Much of the basics of what HMA is very well explained in this Microsoft article https://aka.ms/ModernAuthOverview. Here in this blog post I just want to summarize the key points. Firstly, HMA is an new authentication and authorization protocol that was first available on Office365 and now extended to Skype for Business hybrid split domain and Exchange hybrid environments. Modern Authentication is based on the open standard oAuth protocol and implemented in Microsoft software and services via ADAL. During the login process, Skype for Business clients will obtain Access and Refresh Oauth tokens from an Azure AD service known as evoSTS that on-premises Skype for Business and Exchange servers will accept and grant access. To obtain these tokens in HMA, the client must first be authenticated via an on-premise Active Directory with ADFS. Hence our environment is already configured with AADConnect and ADFS with Skype for Business on-premise hybrid split-domain. Once the tokens are issued, there is no need for the client to get authenticated again until the refresh token expires. The default expiry time for a refresh token is 90 days while an access token has a 1 hour validity. When access tokens expire the client will simply use its refresh token to renew access tokens.
Once HMA is configured, our environment can begin to leverage AAD security capabilities like two-factor authentication, or Intune Modern Application Management policies such as conditional access.However, its important to note that not all clients support all the features provided by HMA and Microsoft has documented the different features available to different clients in this website https://aka.ms/ModernAuthUpdate
What are the supported Topologies and pre-requisites?
There are four separate locations where modern authentication can be enabled. The first two are the Office365 workloads Exchange Online (EXO) and Skype for Business Online (SBFO) and two on-premise servers Skype for Busines (SFB) and Exchange (EXCH). Microsoft has documented the various supported HMA topologies in this article: https://technet.microsoft.com/en-us/library/mt803262.aspx However, the particular topology that we are using in our lab environment is somehow not included in the article, which is EXO with SFBO and SFB. So we will enable MA on EXO, SFBO and SFB; there is no Exchange on-premise. On-premise AD with ADFS will be our authentication server and AAD evoSTS will be our authorization server issuing tokens to clients. Below is the diagram of what this topology looks like:
There are four separate locations where modern authentication can be enabled. The first two are the Office365 workloads Exchange Online (EXO) and Skype for Business Online (SBFO) and two on-premise servers Skype for Busines (SFB) and Exchange (EXCH). Microsoft has documented the various supported HMA topologies in this article: https://technet.microsoft.com/en-us/library/mt803262.aspx However, the particular topology that we are using in our lab environment is somehow not included in the article, which is EXO with SFBO and SFB. So we will enable MA on EXO, SFBO and SFB; there is no Exchange on-premise. On-premise AD with ADFS will be our authentication server and AAD evoSTS will be our authorization server issuing tokens to clients. Below is the diagram of what this topology looks like:
Deploying Hybrid Modern Authentication Walk-Through
Before beginning to configure for HMA, we need to prepare our environment with the necessary pre-requisites. Firstly, the version of Skype for Business on-premise must be May 2017 CU 5 cumulative update, build .281 or later. We can check this using the Get-CsServerPatchVersion cmdlet on our SFB server. As shown below, our server is already on the required versions:
Before beginning to configure for HMA, we need to prepare our environment with the necessary pre-requisites. Firstly, the version of Skype for Business on-premise must be May 2017 CU 5 cumulative update, build .281 or later. We can check this using the Get-CsServerPatchVersion cmdlet on our SFB server. As shown below, our server is already on the required versions:
Secondly, we obtain the web service URL's with Get-CsService -WebServer | Select-Object PoolFqdn, InternalFqdn, ExternalFqdn | fl as shown below
Next, we connect to AzureAD Remote Powershell and configure the necessary Service Principal Names (SPN) using the Set-MsolServicePrincipal cmdlet together with the web services URLs obtained earlier. The steps are shown in the diagram below:
Now we can proceed to configure our Skype for Business on-premise server for HMA. First, we check the existing oAuth configuration using Get-CsOAuthConfiguration and note that the ClientAuthorizationOAuthServerIdentity parameter is blank meaning that our server has not been enabled for HMA yet as shown below:
Now we can proceed to create the evoSTS oAuth server and cut over to HMA by setting our Skype for Business on-premise server's oAuth configuration to use it. This is done using the New-CsOAuthServer and the Set-CsOAuthConfiguration cmdlets as shown below:
We can also turn on Modern Authentication for SFBO by going into remote powershell and running the Set-CsOAuthConfiguration cmdlet as shown below:
RSS Feed