Close Menu
    Facebook X (Twitter) Instagram
    Trending
    • Successful Adoption of a “Cloud First” Strategy
    • Speaking at Nordic Virtual Summit
    • Workplace Ninja User Group Denmark February Meetup
    • Workplace Ninja User Group Denmark Meetup – May 2022
    • Workplace Ninja User Group Denmark Meetup – April 2022
    • Speaking at Modern Endpoint Management Summit 2022
    • Speaking at Nordic Virtual Summit 2022 – 3nd Edition
    • CoLabora Recordings – January 2022
    RONNIPEDERSEN.COM
    • Home
    • Enterprise Mobility
      • Configuration Manager
      • Identity and Access
      • Information Protection
      • Intune
    • Cloud and Data Center
      • Data Center Management
      • Group Policy
      • Enterprise Security
      • Hyper-V
      • PowerShell
    • Guides
    • Webcasts
    • Links
    • About
      • Contact me
      • Disclaimer
    RONNIPEDERSEN.COM
    You are at:Home»Enterprise Mobility»Enable modern authentication for Skype for Business Online

    Enable modern authentication for Skype for Business Online

    44
    By Ronni Pedersen on July 11, 2017 Enterprise Mobility, Identity and Access

    As a Cloud Consultant working with products that are part of the Office 365 and the Microsoft Enterprise Mobility +Security Suite (EMS), I often get a lot of questions about multi-factor authentication (MFA), and how to get started.

    Most customers today has a strategy about MFA when employees are trying to access corporate company data from outside the company perimeter. But when customers are using cloud services like Office 365, OneDrive and SharePoint that boundary moves from a physical boundary to the user identity. Therefore the requirement for multi-factor authentication is something that most customers wants to implement as part of their cloud strategy.

    The key to a successful MFA deployment starts by enabling modern authentication. Modern authentication brings Active Directory Authentication Library (ADAL)-based sign in to your Office 365 applications, and without this enabled, end users will have to use “App Passwords”, witch is a true nightmare for any user and it department.

    By default Office 365 tenants (Exchange Online, SharePoint Online and Skype for Business Online) will need to be configured to accept a modern authentication connection. I recommend that you enabled for modern authentication both Exchange Online and Skype for Business, if you want to use MFA.

    • Skype for Business Online – OFF by default.
    • Exchange Online – OFF by default.
    • SharePoint Online – ON by default.

     

    Enable modern authentication for Skype for Business Online

    To enable modern authentication for Skype for Business Online, complete the following steps:

    Step 1: Install Skype for Business Online, Windows PowerShell Module:
    https://www.microsoft.com/en-us/download/details.aspx?id=39366

    Step 2: Connect to Skype for Business using PowerShell

    $sfboSession = New-CsOnlineSession -UserName user@domain.com
    Import-PSSession $sfboSession

    SNAGHTML564f75

    Step 3: Verify the current settings (optional)
    The expected result: ClientAdalAuthOverride : Disallowed

    Get-CsOAuthConfiguration

    SNAGHTML5951b9

    Step 4: Enable modern authentication for Skype for Business Online

    Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

    Step 5: Verify that the change was successful by running the following:
    The expected result: ClientAdalAuthOverride : Allowed

    Get-CsOAuthConfiguration

    SNAGHTML5ba7de

    Important: Please note, that it might take up to 24 hours before modern authentication starts to work. Usually it’s less than one hour, but please be patient when you start testing. It you don’t get the result you expect, watch a movie, drink a cup of coffee and try again.
    Thanks to @AlexFilipin for reminding me, to add this note to the article.

    I have also posted a sample script on Microsoft TechNet Gallery, where all the commands used in this example can be found: https://gallery.technet.microsoft.com/Enable-modern-authenticatio-d7180f99

    That’s it… Enjoy!

    +Ronni Pedersen

    • Tweet
    • Share 0
    • +1
    • LinkedIn 0

    Related

    Ronni Pedersen
    • Website
    • Facebook
    • X (Twitter)
    • LinkedIn

    My name is Ronni Pedersen and I'm currently working as a Cloud Architect at APENTO in Denmark. My primary focus is Enterprise Client Management solutions, based on technologies like AzureAD, Intune, EMS and System Center Configuration Manager. I'm is also a Microsoft Certified Trainer and Microsoft MVP in Enterprise Mobility.

    Related Posts

    Speaking at Nordic Virtual Summit

    Workplace Ninja User Group Denmark February Meetup

    Speaking at Modern Endpoint Management Summit 2022

    44 Comments

    1. Curtis Spears on November 8, 2017 01:21

      Thanks! Your solution was the only one that worked!

      Reply
    2. Alan on July 18, 2018 12:38

      If I enable MFA for Skype for Business Online, using the powershell method you described, does that mean that EVERY user will be asked to enter a code from a Microsoft Authenticator APP, even though Two Factor Authentication may not be enabled on EVERY Office 365 User Account? Put another way, I only have 10% of my users enabled for Two Factor Authentication in my Office 365 tennant, and I am concerned that if I enable MFA on ‘Skype for Business Online’ via powershell, that it will prevent skype login for 90% of my users who do not enrol for MFA yet. Thank you.

      Reply
      • Ronni Pedersen on August 12, 2018 06:59

        No… MFA is not required if you enable modern authentication. It’s safe to do this.

        Reply
    3. Kevin Miller on August 9, 2018 17:30

      Thanks very much Ronni

      Reply
    4. Pingback: Sysadmin Today #48: Migrating Active Directory, ADFS & MFA

    5. O365Guy on October 10, 2018 14:14

      Are there any drawbacks to enabling modern authentication? I can’t imagine that this would affect any other O365 systems, but want to be sure before I enable this in our production tenant.

      Reply
      • Ronni Pedersen on October 15, 2018 06:55

        No. This should not affect any systems. You will only get more options.

        Reply
        • Marcus on December 1, 2018 14:40

          Have I understood wrong, when I believe that enabling Modern Auth on SfB will, in fact, enforce it? Resulting in for example 2013 clients being unable to login without setting enableADAL through GPO’s?

          Reply
          • Ronni Pedersen on December 20, 2018 10:16

            Basic Auth. will still work….

            Reply
    6. Jim on November 6, 2018 15:55

      This article is awesome! I was spinning my wheels for quite some time just using the instructions provided by Microsoft (they really make you work for it).

      Thank you so much!

      Reply
      • Ronni Pedersen on November 18, 2018 14:44

        You’re welcome 🙂

        Reply
    7. Mohd Omar on November 11, 2018 05:28

      Thank you so much , very useful and clear

      Mohd

      Reply
    8. Farid on November 13, 2018 19:05

      Hi Ronni

      Modern authentication is on for our users but our android users can’t use their mail and skype for business is there any reason for this case? Do I need to another script?

      Thanks

      Reply
      • Ronni Pedersen on November 18, 2018 14:43

        Are you using Outlook or the built-in mail client ?

        Reply
    9. Tobias on November 28, 2018 16:32

      This article was really helpfull!!

      Great work!

      Reply
    10. Nik on February 7, 2019 05:51

      Will this enable modern authentication for the Skype 2016 client as well?

      Reply
      • Ronni Pedersen on March 3, 2019 11:46

        Yes! This should work for all clients that supports modern auth. (including 2016).

        Reply
    11. Alex on February 15, 2019 12:33

      Hi Ronni, thanks great article. Do you know, if i can enable only the sfb online users to use modern Auth. in a Sfb Hybrid environment and let the onprem users on legacy Auth.?

      Thanks

      Reply
      • Ronni Pedersen on March 3, 2019 11:45

        I don’t know much about SfB on-prem… Sorry!

        Reply
    12. Miriam J on March 3, 2019 03:12

      I am the de facto IT person for our small company. I’m not a IT person by trade and I have been struggling to make MFA work with Outlook and Skype for our company by cobbling together various internet searches. Your article was the key! It was impossible to find this same information on the Microsoft support and I spent close to 3 hours with their help desk personnel and we never got this far. Thank you!

      Reply
      • Ronni Pedersen on March 3, 2019 11:44

        Thank you for the feedback 🙂

        Reply
    13. James on March 11, 2019 16:04

      Hi Ronni,

      Could you please confirm the impact enabling Modern Authentication will have on the users who are not MFA enabled/enforced. For example, will it force all non-MFA users to re-enter the passwords?

      thanks

      James

      Reply
      • Ronni Pedersen on March 19, 2019 18:20

        There should be no impact for these users.

        Reply
        • Jade on April 4, 2019 07:31

          What about the users who are MFA enabled/enforced. How would the changes affect them? Do they have to re-enter the password for SfB?

          Reply
          • Ronni Pedersen on July 24, 2019 18:36

            No. They should be just fine.

            Reply
    14. Jatin Patil on March 14, 2019 00:51

      Thanks Ronni for the article, So enabling Modern Authentication for Skype for Business will enable it for Exchange Online as well?

      Reply
      • Ronni Pedersen on March 19, 2019 18:20

        No. You need to do both.

        Reply
    15. Pingback: Sysadmin Today #61: Office 365 Best Practices

    16. Raj Harkare on June 26, 2019 09:16

      Thanks Ronni, for making the clear picture about enabling Modern Authentication for Skype for business as i was assuming this is enabled by default for the Skype for business as per the Microsoft. but here is the Gap-

      Here is the per service state of modern authentication by default for tenants created before August 1, 2017:
      Skype for Business Online – OFF by default.
      Exchange Online – OFF by default.
      SharePoint Online – ON by default.

      Note: As of August 1, 2017, for all newly created Office 365 tenants, use of modern authentication is now ON by default for Exchange Online and Skype for Business Online.

      Reply
    17. Jessie Salgado on July 9, 2019 14:16

      The -ClientAdalAuthOverride parameter for the CMDLET Set-CsOAuthConfiguration takes one of three options:

      NoOverride
      Allowed
      Disallowed

      Can you explain what each option does when set?

      Reply
    18. Gene Zokiol on July 24, 2019 16:09

      Thanks Ronni, how can we enforce that only Modern Auth is allowed? You mentioned above in the comments that basic auth will still work for legacy clients. We already have a conditional access policy that would block legacy protocols, however, is there a way in the skype online powershell module to enforce only modern auth? For example, the parameter “ClientAdalOverride” has also the possible value of “NoOverride.” I can’t find documentation that clearly explains what allowed, disallowed and nooverride mean.
      Any help much appreciated.

      Reply
      • Ronni Pedersen on July 24, 2019 18:30

        I don’t have the answer, but I’m recommending the same CA rules to block Basic Authentication.

        Reply
    19. Sam Martin on July 29, 2019 05:05

      Thanks Roni for the info, I have 2 questions:

      We have SFB on – prem, but we use SFB Broadcast (which is SFB online), and our users in our organization can connect to SFB online though their own skype user interface (with is on-prem)

      1. By enabling Enable modern authentication for Skype for Business Online, my understanding is that it affects to the SFB Broadcast (online) and the impact applies to all of our users in our organization who want to be connected to the SFB online?

      2. Is there any outage after enabling modern authentication for Skype for Business Online?

      Reply
    20. Pingback: Conditional Access demystified, part 5: Implementing Conditional Access | Modern Workplace Blog

    21. Pingback: Preventing Password Hacks in Office 365 using Multi-factor authentication

    22. Bhanusri on September 25, 2019 12:36

      Hi Ronni,
      Your explanation is easy to understand, thanks, but I found the below in the Microsoft website, so got confused, can you please clarify on the same.

      https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online
      Notes:
      Modern authentication is enabled by default in Exchange Online, Skype for Business Online and SharePoint Online.

      Reply
    23. Mikey G on October 10, 2019 23:46

      Hi Ronni,

      Our setup is On-Prem exchange and SB On-line. If we turn on MA for SBOL, how ill this affect our user in this kind of environment? Will it affect SB on mobile devices as well? Thanks

      Reply
    24. João Pedro on December 10, 2019 15:04

      Thank you.

      Microsoft Suppport could not solve the problem yet. You save me!

      Reply
    25. Sky IT on February 20, 2020 18:15

      Hi Ronni,

      We enabled modern authentication on office 365 tenant but when user’s try to login Skype for business desktop, they are getting error like user name and password is incorrect.

      Can you please suggent.

      We are using latest Skype for business desktop app but operation system windows 7.

      Same it is working on Windows 10 machines.

      Reply
      • Ronni Pedersen on February 20, 2020 20:17

        Thats easy then… Just upgrade to Windows 10 🙂
        Seriously: I dont know why you see this, or whats causing it. It would require more insights to your environment.

        Reply
    26. Pingback: Microsoft is going to disable basic/legacy authentication for Exchange Online. What does that actually mean and does that impact me? | Modern Workplace Blog

    27. neil curran on April 28, 2020 10:31

      Hi Ronnie,

      Looking some guidance. We currently have approx 200 users SFB online with SFB 2016 client.

      if i turn on Modern authentication for SFB Online and some of these users have MFA enabled and enforced, will it then ask this user for 2nd factor authentication (call to phone, text to phone or authenticator app) logon to SFB Online with SFB 2016 client ?

      thanks

      Reply
    28. CheeKiat on May 18, 2020 02:57

      Hi

      Would like check with you if modern authentication needed for account like Skype for Business online, did third party device like Logitech Tap, Lenovo Hub need to be configure also? Or as long account itself activate modern authentication can direct login on third party device with configuration?

      If third party device need to be configure where should I go for setting, is it done at windows account by power shell in third party device?

      Reply
    29. Charles on September 15, 2020 13:38

      Hi

      We also have legacy auth in the AAD sign-ins for lync.exe for one of our client ad for almost all their users.

      S4b is on-prem (not sure if in hybrid mode yet) + Mailboxes in Exchange Online (hybrid mode with a few service mailboxes on the on-prem Exchange server) + ADFS for authentication.

      We want to enable MFA using Conditional access policies but we first need to get rid of these legacy authentications from lync.exe.

      Anybody can confirm that going through the following procedure will enable Modern Auth for lync.exe without impacting the services?
      https://docs.microsoft.com/en-us/microsoft-365/enterprise/configure-skype-for-business-for-hybrid-modern-authentication?view=o365-worldwide

      Anything else to consider?

      Thank you for you help.

      Reply
    Leave A Reply Cancel Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Follow
    APENTO

    Follow APENTO here:

    Subscribe to Blog via Email

    Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    About
    My name i s Ronni Pedersen and I'm currently working as a Cloud Architect at APENTO in Denmark. My primary focus is Endpoint Management and Security, based on Microsoft technologies. I'm also a Microsoft Certified Trainer and a dual Microsoft MVP in both Security and Windows.
    Recent Posts
    • Successful Adoption of a “Cloud First” Strategy
    • Speaking at Nordic Virtual Summit
    • Workplace Ninja User Group Denmark February Meetup
    • Workplace Ninja User Group Denmark Meetup – May 2022
    • Workplace Ninja User Group Denmark Meetup – April 2022
    Archives
    TOP POSTS
    • How to Access the MBAM BitLocker Recover Keys directly in SQL
    • Windows Vista Pre-Build VHD available for download
    • Find the TimeZoneName for your SCCM/MDT Deployments
    • SCCM: Enable Desktop Clients as PXE Servers
    • Windows 10 1803: winpeshl.ini file is present, but no commands were successfully launched
    RECENT COMMENTS
    • Sebi on Prepare for Co-Management: Migrate Intune Devices without user affinity
    • Vadim P on SCCM: Failed to Get Client Identity (80004005)
    • TM on Active Directory Based Activation in an multi domain environment
    • unkown on Setting OSDComputerName using CustomSettings.ini
    • TJ Scott on Setting OSDComputerName using CustomSettings.ini
    DISCLAIMER
    The content on this website is presented "as-is" with no guarantees. The use of scripts from this website is at your own risk. Always test before putting something in production! Opinions expressed are my own.
    © 2025 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.