You have probably heard about modern authentication, there’s a lot of talk about it. Especially when it comes to Office 365 and Azure. You might have seen the acronym ADAL which is the Active Directory Authentication Library which is modern authentication. So, what is modern authentication and what does it mean for Skype for Business?
Well, let’s first take a look at what modern authentication is before we start looking at how it works in Skype for Business. While modern authentication is something that is presented as something new and shiny, the corner stones and the foundation is nothing new. Modern authentication simply put, is federation. Which in the Microsoft world means AD FS.
So what does this mean for Skype for Business? Well, to be honest, not very much. It works pretty much the same as the old Passive authentication which was also based on federation. Sadly there’s no EWS integration unless you are using Office365. Hopefully this will change.
The sign in flow differs from the original behavior: An S4B client attempts to connect to the S4B server, gets redirected to AD FS where the client is presented with an authentication form, user authenticates and gets a claim and is then redirected back to the S4B server where the claim is accepted by the S4B server and the client gets the webticket. So what has changed?
From my initial tests I’ve found that they’ve changed the federation protocol to Oauth2 which comes as no surprise as it is being pushed quite heavily. Secondly, ADAL support is built into the client so unlike passive authentication the client doesn’t spawn the browser window the same way (to present the authentication form) so it looks a tad bit different.
The image below is a screenshot of the sign in using modern authentication and the PointSharp MFA to provide two-factor authentication.
If you want to test modern authentication you can follow the steps on TechNet. Just remember that you need an AD FS server as well as the scripts needed to enable Oauth2 for Skype for Business (http://aka.ms/sfbadalscripts)
Pingback: Weekly IT Newsletter – April 25-29, 2016 | Just a Lync Guy
Hey thanks for such a nice article. I just want to understand that in this Modern authentication AzureAD is required to be part of integration component? I believe in case of modern authentication AzureAD tenant/O365 tenant is needed as by default all the request from clients will go through AzureAD and then to ADFS/MFA provider for auth+2FA. Please let me know. Thanks
I would assume the same, that for modern authentication it would require the tenant to have Azure AD. With that said you could still use ADFS only by using the Passive Authentication.
Furthermore, if the requirement is 2FA for Skype for Business there are even more options available for a better client experience.
Hey thanks a lot for your reply. So is it possible to use external IDP/MFA provider for auth+2FA without involving AzureAD in Modern authentication Flow? Would be great if you can share some insight on this if it is possible.Thanks
Modem authentication is just what MS call it. I wouldn’t dare to attempt to enable passive auth with anything except ADFS as iDP to be honest. But yes it is possible to use auth with 2FA for an on-prem installation without the need for passive auth. The company I work for builds such a solution.
Hey thanks for your reply. One of my customer looking for On premise solution to achieve auth+2FA on Skype for business. Customer do not want any cloud solution for this. I think you are saying it is possible using Modern Authentication with your company built solution. Can you please share more details or your contact to have a quick call to understand it. Thanks again!