As a Cloud Consultant working with products that are part of the Office 365 and the Microsoft Enterprise Mobility +Security Suite (EMS), I often get a lot of questions about multi-factor authentication (MFA), and how to get started.
Most customers today has a strategy about MFA when employees are trying to access corporate company data from outside the company perimeter. But when customers are using cloud services like Office 365, OneDrive and SharePoint that boundary moves from a physical boundary to the user identity. Therefore the requirement for multi-factor authentication is something that most customers wants to implement as part of their cloud strategy.
The key to a successful MFA deployment starts by enabling modern authentication. Modern authentication brings Active Directory Authentication Library (ADAL)-based sign in to your Office 365 applications, and without this enabled, end users will have to use “App Passwords”, witch is a true nightmare for any user and it department.
By default Office 365 tenants (Exchange Online, SharePoint Online and Skype for Business Online) will need to be configured to accept a modern authentication connection. I recommend that you enabled for modern authentication both Exchange Online and Skype for Business, if you want to use MFA.
- Skype for Business Online – OFF by default.
- Exchange Online – OFF by default.
- SharePoint Online – ON by default.
Enable modern authentication for Skype for Business Online
To enable modern authentication for Skype for Business Online, complete the following steps:
Step 1: Install Skype for Business Online, Windows PowerShell Module:
https://www.microsoft.com/en-us/download/details.aspx?id=39366
Step 2: Connect to Skype for Business using PowerShell
$sfboSession = New-CsOnlineSession -UserName user@domain.com
Import-PSSession $sfboSession
Step 3: Verify the current settings (optional)
The expected result: ClientAdalAuthOverride : Disallowed
Get-CsOAuthConfiguration
Step 4: Enable modern authentication for Skype for Business Online
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
Step 5: Verify that the change was successful by running the following:
The expected result: ClientAdalAuthOverride : Allowed
Get-CsOAuthConfiguration
Important: Please note, that it might take up to 24 hours before modern authentication starts to work. Usually it’s less than one hour, but please be patient when you start testing. It you don’t get the result you expect, watch a movie, drink a cup of coffee and try again.
Thanks to @AlexFilipin for reminding me, to add this note to the article.
I have also posted a sample script on Microsoft TechNet Gallery, where all the commands used in this example can be found: https://gallery.technet.microsoft.com/Enable-modern-authenticatio-d7180f99
That’s it… Enjoy!
32 Comments
Thanks! Your solution was the only one that worked!
If I enable MFA for Skype for Business Online, using the powershell method you described, does that mean that EVERY user will be asked to enter a code from a Microsoft Authenticator APP, even though Two Factor Authentication may not be enabled on EVERY Office 365 User Account? Put another way, I only have 10% of my users enabled for Two Factor Authentication in my Office 365 tennant, and I am concerned that if I enable MFA on ‘Skype for Business Online’ via powershell, that it will prevent skype login for 90% of my users who do not enrol for MFA yet. Thank you.
No… MFA is not required if you enable modern authentication. It’s safe to do this.
Thanks very much Ronni
Pingback: Sysadmin Today #48: Migrating Active Directory, ADFS & MFA
Are there any drawbacks to enabling modern authentication? I can’t imagine that this would affect any other O365 systems, but want to be sure before I enable this in our production tenant.
No. This should not affect any systems. You will only get more options.
Have I understood wrong, when I believe that enabling Modern Auth on SfB will, in fact, enforce it? Resulting in for example 2013 clients being unable to login without setting enableADAL through GPO’s?
Basic Auth. will still work….
This article is awesome! I was spinning my wheels for quite some time just using the instructions provided by Microsoft (they really make you work for it).
Thank you so much!
You’re welcome 🙂
Thank you so much , very useful and clear
Mohd
Hi Ronni
Modern authentication is on for our users but our android users can’t use their mail and skype for business is there any reason for this case? Do I need to another script?
Thanks
Are you using Outlook or the built-in mail client ?
This article was really helpfull!!
Great work!
Will this enable modern authentication for the Skype 2016 client as well?
Yes! This should work for all clients that supports modern auth. (including 2016).
Hi Ronni, thanks great article. Do you know, if i can enable only the sfb online users to use modern Auth. in a Sfb Hybrid environment and let the onprem users on legacy Auth.?
Thanks
I don’t know much about SfB on-prem… Sorry!
I am the de facto IT person for our small company. I’m not a IT person by trade and I have been struggling to make MFA work with Outlook and Skype for our company by cobbling together various internet searches. Your article was the key! It was impossible to find this same information on the Microsoft support and I spent close to 3 hours with their help desk personnel and we never got this far. Thank you!
Thank you for the feedback 🙂
Hi Ronni,
Could you please confirm the impact enabling Modern Authentication will have on the users who are not MFA enabled/enforced. For example, will it force all non-MFA users to re-enter the passwords?
thanks
James
There should be no impact for these users.
What about the users who are MFA enabled/enforced. How would the changes affect them? Do they have to re-enter the password for SfB?
No. They should be just fine.
Thanks Ronni for the article, So enabling Modern Authentication for Skype for Business will enable it for Exchange Online as well?
No. You need to do both.
Pingback: Sysadmin Today #61: Office 365 Best Practices
Thanks Ronni, for making the clear picture about enabling Modern Authentication for Skype for business as i was assuming this is enabled by default for the Skype for business as per the Microsoft. but here is the Gap-
Here is the per service state of modern authentication by default for tenants created before August 1, 2017:
Skype for Business Online – OFF by default.
Exchange Online – OFF by default.
SharePoint Online – ON by default.
Note: As of August 1, 2017, for all newly created Office 365 tenants, use of modern authentication is now ON by default for Exchange Online and Skype for Business Online.
The -ClientAdalAuthOverride parameter for the CMDLET Set-CsOAuthConfiguration takes one of three options:
NoOverride
Allowed
Disallowed
Can you explain what each option does when set?
Thanks Ronni, how can we enforce that only Modern Auth is allowed? You mentioned above in the comments that basic auth will still work for legacy clients. We already have a conditional access policy that would block legacy protocols, however, is there a way in the skype online powershell module to enforce only modern auth? For example, the parameter “ClientAdalOverride” has also the possible value of “NoOverride.” I can’t find documentation that clearly explains what allowed, disallowed and nooverride mean.
Any help much appreciated.
I don’t have the answer, but I’m recommending the same CA rules to block Basic Authentication.