none
Skype for Business on prem - Bypassing MFA/ADAL/Modern Auth RRS feed

  • Question

  • Hi,

    I recently set up modern auth for our on prem SfB 2015 deployment and have configured it with Azure MFA server to do multi factor auth. It works beautifully but... if I try to access it from an older SfB client I don't get prompted for MFA, nor do I seem to get handed off to ADFS, even when I try to enforce it from the ADFS config. I have identified that this is due to the client not supporting OAuth but surely it should fail to sign in rather than bypass it?? Anyone else experienced this or know how to stop sign ins from clients that don't support OAuth?

    Kind Regards

    Matt

    Monday, March 27, 2017 3:21 PM

All replies

  • Hi Matt,

    Some client versions don't support OAuth. You can check your version of Office client in Control Panel where you Add and Remove programs in order to compare your version number to the versions (or ranges of versions) listed here:
    Office Client 15.0.[0000-4766].*
    Office Client 16.0.[0000-4293].*
    Office Client 16.0.6001.[0000-1032]
    Office Client 16.0.[6000-6224].*

    https://technet.microsoft.com/en-us/library/mt710548.aspx

    So Please update those SFB clients to the latest for a test.


    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 28, 2017 9:18 AM
    Moderator
  • Hi,

    Yes I have updated the affected clients and confirmed that this fixed the problem (they were then prompting for MFA correctly). My question is, why aren't the older clients being stopped from logging in if they don't support OAuth?

    Kind Regards

    Matt

    Tuesday, March 28, 2017 12:38 PM
  • It's because you still have the other authentication methods (TLS-DSK,Kerberos,NTLM) enabled.  Since the older clients don't work with Modern Auth they just ignore it and use the other methods available to sign in.
    Tuesday, March 28, 2017 2:33 PM
  • Is there a supported process to disable these authentication methods and if so, how do I go about it?
    Wednesday, March 29, 2017 12:37 PM
  • Is there a supported process to disable these authentication methods and if so, how do I go about it?

    Hi Matt,

    As I am concerned, we could not disable from client side, but I find a document about authentication in SFB as the following link:

    https://blog.kloud.com.au/2015/05/07/sfb-external-authentication/  

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Thursday, March 30, 2017 5:44 AM
    Moderator