Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 | Select -ExpandProperty ServicePrincipalNames Take note of (and screenshot for later comparison) the output of this command, which will include an SE and WS URL, but mostly consist of SPNs that begin with 00000004-0000-0ff1-ce00-000000000000/. This corresponds to Skype for Business Online. Note that the AppPrincipalId begins with 00000004. Run this command, on-premises, to get a list of SFB web service URLs. Clients authenticating to a server make use of information that's contained in SPNs.įirst, connect to Azure Active Directory (Azure AD) with these instructions. Service principal names (SPNs) identify web services and associate them with a security principal (such as an account name or group) so that the service can act on the behalf of an authorized user. Now you'll need to run commands to add the URLs (collected earlier) as Service Principals in SFBO. Turn on Hybrid Modern Authentication for Skype for Business on-premises Add on-premises web service URLs as SPNs in Azure Active Directory Turn on Hybrid Modern Authentication for Exchange on-premisesįollow the instructions here: How to configure Exchange Server on-premises to use Hybrid Modern Authentication. Turn on Modern Authentication for SFBOįollow the instructions here: Skype for Business Online: Enable your tenant for modern authentication. Turn on Modern Authentication for EXOįollow the instructions here: Exchange Online: How to enable your tenant for modern authentication. In this case, use the pool fqdn for the internal URL. If you're using a Standard Edition server, the internal URL will be blank. To obtain these, run the following from Skype for Business Management Shell: Get-CsService -WebServer | Select-Object PoolFqdn, InternalFqdn, ExternalFqdn | FL You'll need internal and external web service URLs for all SfB 2015 pools deployed. The GUID that represents your Office 365 tenant (at the login of ).Collect all HMA-specific info you'll needĪfter you've double-checked that you meet the prerequisites to use Modern Authentication (see the note above), you should create a file to hold the info you'll need for configuring HMA in the steps ahead. You'll find that information in Hybrid modern authentication overview and prerequisites. See the Supportability topic for Skype for Business with MA for supported topologies.ĭouble-check that you've met all the prerequisites before you begin. If you can't turn MA on in all these locations, adjust the steps so that you turn on MA only in the locations that are necessary for your environment. In other words, if your users are homed in/have mailboxes created in any part of the Hybrid (EXO + SFBO, EXO + SFB, EXCH + SFBO, or EXCH + SFB), your finished product will look like this:Īs you can see there are four different places to turn on MA! For the best user experience, we recommend you turn on MA in all four of these locations. These steps turn on MA for SFB, SFBO, EXCH, and EXO - that is, all the products that can participate in an HMA configuration of SFB and SFBO (including dependencies on EXCH/EXO). Turn ON Hybrid Modern Authentication for Skype for Business on-premises. Turn ON Hybrid Modern Authentication for Exchange on-premises. Turn ON Modern Authentication for SFBO (if it isn't already turned on). Turn ON Modern Authentication for EXO (if it isn't already turned on). Do this before you begin any of the steps in this article.Ĭollect the HMA-specific info you'll need in a file, or OneNote. Since many prerequisites are common for both Skype for Business and Exchange, see the overview article for your pre-req checklist. This summary breaks down the process into steps that might otherwise get lost during the execution, and is good for an overall checklist to keep track of where you are in the process.įirst, make sure you meet all the prerequisites. If you need to know what Skype for Business topologies are supported with MA, that's documented here!Īlso, if a graphic in this article has an object that's grayed-out or dimmed that means the element shown in gray isn't included in MA-specific configuration. Would you like to know more about Modern Authentication (MA) and why you might prefer to use it in your company or organization? Check this document for an overview.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |