Author: Steve Moore – Skype for Business TSP TechNet Blogs
I have been playing around with MFA today in a lab and working on getting MFA working for my on premises users. I have SFB setup in hybrid mode (split domain), i.e both O365 and SFB On premises are looking after by domain.
On December 6th 2017 we announced that we support MFA for SFB On premises users (with EXO mailboxes) which is pretty cool. Blog post here https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Hybrid-Modern-Auth-for-SfB-and-Exchange-goes-GA/ba-p/134756
So I figured I had better give it a go. Fortunately we have a pretty comprehensive guide out on how to turn it on, just here https://support.office.com/en-us/article/How-to-configure-Skype-for-Business-on-premises-to-use-Hybrid-Modern-Authentication-522d5cec-4e1b-4cc3-937f-293570717bc6
So I followed the key steps and voila worked a treat. Some thoughts to be aware of:
Once you turn on SFB MFA auth in on premises, all users will start to be authenticated against O365, not just those you enable for MFA in O365. i.e I enabled a user victor for MFA and he started working beautifully. I then tried to sign in as Anna, another onprem user who wasn’t enabled for MFA in O365. When signing in, I am now prompted to auth against Office 365 from the SFB client. (see below).
- Once having signed in with a password, you will of course be prompted for a 2nd factor, in my case using a One time code from O365 text’d to my mobile phone. After putting in the code (see prompt in SFB client below), voila I was in .
- You need to turn on per user MFA in Office 365, and the user then needs to setup how they would like to use MFA when signing into O365 apps including SFB. Once those two steps are done, the SFB client will start using O365 MFA.
- Make sure you check out the pre-reqs as this is designed for SFB Hybrid and Exchange Online scenarios, and will not work with all customer scenarios (so please be careful here and read up on all the supported scenarios).
- There is a great video on SFB Modern Auth from Ignite 2017, go here to have a look https://myignite.microsoft.com/videos/53262;
- It’s also worth reading the Planning for MFA in Office 365 before tackling this approach https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba?ui=en-US&rs=en-US&ad=US;
Anyway, it is exciting we now have this as it will help a lot of my customers who want SFB MFA but still have users on premises. So exciting stuff.
PS. Don’t forget lab this stuff up before you go and do in production, test test and test