Skype for Business Online: Enable your tenant for modern authentication

This article is currently a work in progress

Introduction

To learn more about modern authentication, visit: https://blogs.office.com/2015/03/23/office-2013-modern-authentication-public-preview-announced/

In order for Office clients to use modern authentication flows, the Office 365 tenant needs to be configured support modern authentication flows. You can find more details here - http://aka.ms/modernAuthClients.

Defaults

The Office 365 tenant/resource host (Exchange Online, SharePoint Online and Skype for Business Online) will need to be configured to accept a modern authentication connection. We recommend Exchange Online be enabled for modern authentication when enabling modern authentication for Skype for Business.

Here is the per service state of modern authentication by default for tenants created before August 1, 2017:

• Skype for Business Online - OFF by default.
• Exchange Online - OFF by default.
• SharePoint Online - ON by default.

Note: For Office 365 US Government Defense tenants, modern authentication is ON by default to enable the use of PIV and CAC cards. 

Note: As of August 1, 2017, for all newly created Office 365 tenants, use of modern authentication is now ON by default for Exchange Online and Skype for Business Online.

Because Skype for Business clients connect to both Skype for Business Online and Exchange Online, tenant level modern authentication settings should match for Exchange Online and Skype for Business Online.

Steps to enable modern authentication for Skype for Business Online

This article explains how to enable your Skype for Business Online tenant to support modern authentication.

1. Connect to Skype for Business Online using remote PowerShell: https://aka.ms/SkypePowerShell
2. Run the following command:
   • Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
3. Verify that the change was successful by running the following:
   • Get-CsOAuthConfiguration

Frequently Asked Questions

How can Exchange Online be configured to use modern authentication?

Via Exchange Online remote PowerShell: How to enable your tenant for modern authentication

I enabled modern authentication in my tenant, but now I want to revert it. How do I do that?

Run the following command.

Set-CsOAuthConfiguration -ClientAdalAuthOverride NoOverride

How do I use modern authentication with the Skype for Business Online Windows PowerShell Module?

Ensure your tenant is modern authentication enabled and you have the latest Skype for Business Online Windows PowerShell Module. Version 7.0.1026.0 or later is required.

To use multi-factor authentication providing a PSCredential object to New-CsOnlineSession is no longer used, New-CsOnlineSession will now prompt for credentials without a PSCredential object.

 

Examples of how to use the new connector with a modern authentication enabled tenant:

 

New-CsOnlineSession user@domain.com	will prompt for credentials for the specified user, using multi-factor authentication enabled for that user
New-CsOnlineSession	will prompt for admin UPN, then prompt for credentials for that user, using multi-factor authentication if enabled
New-CsOnlineSession <PSCredential>	Not valid if multi-factor authentication is enabled for the user. Included so that existing scripts for admins using username and password only will continue to work

 

See also

• Exchange Online: How to enable your tenant for modern authentication