Share via

Configure server-to-server authentication for a Skype for Business Server hybrid environment.

Summary: Configure server-to-server authentication for Skype for Business Server hybrid environment.

In a hybrid configuration, some of your users are homed on an on-premises installation of Skype for Business Server. Other users are homed on the Microsoft 365 or Office 365 version of Skype for Business Server. In order to configure server-to-server authentication in a hybrid environment, you must first configure your on-premises installation of Skype for Business Server to trust the authorization server. The initial step in this process can be carried out by running the following Skype for Business Server Management Shell script:

$TenantID = (Get-CsTenant -Filter {DisplayName -eq ""}).TenantId

$sts = Get-CsOAuthServer microsoft.sts -ErrorAction SilentlyContinue

   if ($sts -eq $null)
         New-CsOAuthServer microsoft.sts -MetadataUrl "$TenantId/metadata/json/1"
         if ($sts.MetadataUrl -ne  "$TenantId/metadata/json/1")
               Remove-CsOAuthServer microsoft.sts
               New-CsOAuthServer microsoft.sts -MetadataUrl "$TenantId/metadata/json/1"

$exch = Get-CsPartnerApplication -ErrorAction SilentlyContinue

if ($exch -eq $null)
      New-CsPartnerApplication -Identity -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 -ApplicationTrustLevel Full -UseOAuthServer
       if ($exch.ApplicationIdentifier -ne "00000002-0000-0ff1-ce00-000000000000")
             New-CsPartnerApplication -Identity -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 -ApplicationTrustLevel Full -UseOAuthServer 
             Set-CsPartnerApplication -Identity -ApplicationTrustLevel Full -UseOAuthServer

Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000

Keep in mind that the realm name for a tenant is typically different than the organization name; in fact, the realm name is almost always the same as the tenant ID. Because of that fact, the first line in the script is used to return the value of the TenantId property for the specified tenant (in this case, and then assign that name to the variable $TenantId:

$TenantID = (Get-CsTenant -Filter {DisplayName -eq ""}).TenantId

To execute this script, you must have installed Skype for Business Online PowerShell module and connect to your tenant with this module. If you haven't installed these cmdlets, your script will fail because the Get-CsTenant cmdlet will not be available. After the script completes, you must then configure a trust relationship between Skype for Business Server and the authorization server, and a second trust relationship between Exchange 2013/2016 and the authorization server. This can only be done by using the Microsoft Online Services cmdlets.


If you have not installed the Microsoft Online Services cmdlets, you will need to install it from the PowerShell repository with the cmdlet install-module MSOnline. Detailed information for installing and using the Microsoft Online Services Module can be found on the Microsoft 365 web site. These instructions will also tell you how to configure single sign-on, federation, and synchronization between Microsoft 365 or Office 365 and Active Directory.

After you have configured Microsoft 365 or Office 365, and after you have created Microsoft 365 or Office 365 service principals for Skype for Business Server and Exchange 2013, you then need to register your credentials with these service principals. In order to register your credentials, you must first obtain an X.509 Base64 certificate saved as a .CER file. This certificate will then be applied to the Microsoft 365 or Office 365 service principals.


Azure AD Powershell is planned for deprecation on March 30, 2024. To learn more, read the deprecation update.

We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). Microsoft Graph PowerShell allows access to all Microsoft Graph APIs and is available on PowerShell 7. For answers to common migration queries, see the Migration FAQ.

When you obtain the X.509 certificate, open PowerShell console and import the Microsoft Online Windows PowerShell module containing the cmdlets that can be used to manage service principals:

Import-Module MSOnline

When the module is imported, type the following command and then press ENTER:


After you press ENTER, a credentials dialog box will appear. Enter your Microsoft 365 or Office 365 user name and password in the dialog box, and then select OK.

As soon as you're connected to Microsoft 365 or Office 365, you can then run the following command in order to return information about your service principals:


You should get back information similar to this for all your service principals:

ExtensionData        : System.Runtime.Serialization.ExtensionDataObject
AccountEnabled       : True
Addresses            : {}
AppPrincipalId       : 00000004-0000-0ff1-ce00-000000000000
DisplayName          : Skype for Business Server
ObjectId             : aada5fbd-c0ae-442a-8c0b-36fec40602e2
ServicePrincipalName : SkypeForBusinessServer/
TrustedForDelegation : True

The next step is to import, encode, and assign the X.509 certificate. To import and encode the certificate, use the following Windows PowerShell commands, being sure to specify the complete file path to your .CER file when you call the Import method:

$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$binaryValue = $certificate.GetRawCertData()
$credentialsValue = [System.Convert]::ToBase64String($binaryValue) 

After the certificate has been imported and encoded, you can then assign the certificate to your Microsoft 365 or Office 365 service principals. To do that, first use the Get-MsolServicePrincipal to retrieve the value of the AppPrincipalId property for both the Skype for Business Server and the Microsoft Exchange service principals; the value of the AppPrincipalId property will be used to identify the service principal being assigned the certificate. With the AppPrincipalId property value for Skype for Business Server in hand, use the following command to assign the certificate to Skype For Business Online version:

New-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -Type Asymmetric -Usage Verify -Value $credentialsValue 

You should then repeat the command, this time using the AppPrincipalId property value for Exchange 2013.

If you later need to delete that certificate, for example if it has expired, you can do so by first retrieving the KeyId for the certificate:

Get-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000

That command will return data like this one:

Type      : Asymmetric
Value     : 
KeyId     : bc2795f3-2387-4543-a95d-f92c85c7a1b0
StartDate : 6/1/2012 8:00:00 AM
EndDate   : 5/31/2013 8:00:00 AM
Usage     : Verify

You can then delete the certificate by using a command similar to this:

Remove-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -KeyId bc2795f3-2387-4543-a95d-f92c85c7a1b0

In addition to assigning a certificate, you must also configure the Exchange Online Service Principal and configure your on-premises version of Skype for Business Server external Web services URLs as a Microsoft 365 or Office 365 service principal. That can be done by carrying out the following two commands.

In the following example, is the external Web services URL for the Skype for Business Server pool. You should repeat these steps to add all the external Web services URLs in the deployment.

Set-MSOLServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000 -AccountEnabled $true
$lyncSP = Get-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000
Set-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $lyncSP.ServicePrincipalNames