How to configure Skype for Business on-premises to use Hybrid Modern Authentication

This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

Modern Authentication is a method of identity management that offers more secure user authentication and authorization, is available for Skype for Business server on-premises and Exchange server on-premises, and split-domain Skype for Business hybrids.


Would you like to know more about Modern Authentication (MA) and why you might prefer to use it in your company or organization? Check this document for an overview. If you need to know what Skype for Business topologies are supported with MA, that's documented here!

Before we begin, I use these terms:

  • Modern Authentication (MA)

  • Hybrid Modern Authentication (HMA)

  • Exchange on-premises (EXCH)

  • Exchange Online (EXO)

  • Skype for Business on-premises (SFB)

  • Skype for Business Online (SFBO)

Also, if a graphic in this article has an object that's grayed-out or dimmed that means the element shown in gray isn't included in MA-specific configuration.

Read the summary

This summary breaks down the process into steps that might otherwise get lost during the execution, and is good for an overall checklist to keep track of where you are in the process.

  1. First, make sure you meet all the prerequisites.

  2. Since many prerequisites are common for both Skype for Business and Exchange, see the overview article for your pre-req checklist. Do this before you begin any of the steps in this article.

  3. Collect the HMA-specific info you need in a file, or OneNote.

  4. Turn ON Modern Authentication for EXO (if it isn't already turned on).

  5. Turn ON Modern Authentication for SFBO (if it isn't already turned on).

  6. Turn ON Hybrid Modern Authentication for Exchange on-premises.

  7. Turn ON Hybrid Modern Authentication for Skype for Business on-premises.

These steps turn on MA for SFB, SFBO, EXCH, and EXO - that is, all the products that can participate in an HMA configuration of SFB and SFBO (including dependencies on EXCH/EXO). In other words, if your users are homed in/have mailboxes created in any part of the Hybrid (EXO + SFBO, EXO + SFB, EXCH + SFBO, or EXCH + SFB), your finished product looks like this:

A Mixed 6 Skype for business HMA topology has MA on in all four possible locations.

As you can see, there are four different places to turn on MA! For the best user experience, we recommend you turn on MA in all four of these locations. If you can't turn MA on in all these locations, adjust the steps so that you turn on MA only in the locations that are necessary for your environment.

See the Supportability topic for Skype for Business with MA for supported topologies.


Double-check that you've met all the prerequisites before you begin. You'll find that information in Hybrid modern authentication overview and prerequisites.

Collect all HMA-specific info you'll need

After you've checked that you meet the prerequisites to use Modern Authentication (see the previous note), you should create a file to hold the info you'll need for configuring HMA in the steps ahead. Examples used in this article:

  • SIP/SMTP domain

    • Ex. (is federated with Office 365)
  • Tenant ID

    • The GUID that represents your Office 365 tenant (at the login of
  • SFB 2015 CU5 Web Service URLs

You need internal and external web service URLs for all SfB 2015 pools deployed. To obtain these, run the following command from Skype for Business Management Shell:

Get-CsService -WebServer | Select-Object PoolFqdn, InternalFqdn, ExternalFqdn | FL

If you're using a Standard Edition server, the internal URL would be blank. In this case, use the pool fqdn for the internal URL.

Turn on Modern Authentication for EXO

Follow the instructions here: Exchange Online: How to enable your tenant for modern authentication.

Turn on Modern Authentication for SFBO

Follow the instructions here: Skype for Business Online: Enable your tenant for modern authentication.

Turn on Hybrid Modern Authentication for Exchange on-premises

Follow the instructions here: How to configure Exchange Server on-premises to use Hybrid Modern Authentication.

Turn on Hybrid Modern Authentication for Skype for Business on-premises

Add on-premises web service URLs as SPNs in Microsoft Entra ID

Now you need to run commands to add the URLs (collected earlier) as Service Principals in SFBO.


Service principal names (SPNs) identify web services and associate them with a security principal (such as an account name or group) so that the service can act on the behalf of an authorized user. Clients authenticating to a server make use of information that's contained in SPNs.


Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.

  1. First, connect to Microsoft Entra ID with these instructions.

  2. Run this command, on-premises, to get a list of SFB web service URLs.

    The AppPrincipalId begins with 00000004. This corresponds to Skype for Business Online.

    Take note of (and screenshot for later comparison) the output of this command, which includes an SE and WS URL, but mostly consist of SPNs that begin with 00000004-0000-0ff1-ce00-000000000000/.

    Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 | Select -ExpandProperty ServicePrincipalNames
  3. If the internal or external SFB URLs from on-premises are missing (for example, and we'll need to add those specific records to this list.

    Be sure to replace the example URLs with your actual URLs in the Add commands!

    $x= Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000
    Set-MSOLServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames
  4. Verify your new records were added by running the Get-MsolServicePrincipal command from step 2 again, and looking through the output. Compare the list or screenshot from before to the new list of SPNs. You can also screenshot the new list for your records. If you were successful, you can view the two new URLs in the list. Going by our example, the list of SPNs will now include the specific URLs and

Create the EvoSTS Auth Server Object

Run the following command in the Skype for Business Management Shell.

New-CsOAuthServer -Identity evoSTS -MetadataURL -AcceptSecurityIdentifierInformation $true -Type AzureAD

Enable Hybrid Modern Authentication

This is the step that actually turns on MA. All the previous steps can be run ahead of time without changing the client authentication flow. When you're ready to change the authentication flow, run this command in the Skype for Business Management Shell.

Set-CsOAuthConfiguration -ClientAuthorizationOAuthServerIdentity evoSTS


Once you enable HMA, a client's next login will use the new auth flow. Just turning on HMA wouldn't trigger a reauthentication for any client. The clients reauthenticate based on the lifetime of the auth tokens and/or certs they have.

To test that HMA is working after you've enabled it, sign out of a test SFB Windows client and be sure to select 'delete my credentials'. Sign in again. The client should now use the Modern Auth flow and your login will now include an Office 365 prompt for a 'Work or school' account, seen right before the client contacts the server and logs you in.

You should also check the 'Configuration Information' for Skype for Business Clients for an 'OAuth Authority'. To do this on your client computer, hold down the CTRL key at the same time you right-click the Skype for Business Icon in the Windows Notification tray. Select Configuration Information in the menu that appears. In the 'Skype for Business Configuration Information' window that appears on the desktop, look for the following:

The Configuration information of a Skype for Business Client using Modern Authentication shows a Lync and EWS OAUTH Authority URL of

You should also hold down the CTRL key at the same time you right-click the icon for the Outlook client (also in the Windows Notifications tray) and select 'Connection Status'. Look for the client's SMTP address against an AuthN type of 'Bearer*', which represents the bearer token used in OAuth.

Link back to the Modern Authentication overview.

Do you need to know how to use Modern Authentication for your Skype for Business clients? We've got steps here: Hybrid modern authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers.