News

Microsoft Lights Up 'Hybrid Modern Authentication' for Skype, Exchange

• By Kurt Mackie
• December 11, 2017

A new "hybrid modern authentication" capability is now generally available for Skype for Business and Exchange, Microsoft announced recently.

The general availability stamp is the ultimate signal from Microsoft that it sees a product or capability as being ready for use in production environments. Organizations using Skype for Business Server or Exchange Server in their own datacenters likely have surmised that they could link up with the Office 365 versions, namely Exchange Online and Skype for Business Online, using Azure Active Directory for end user authentications. Microsoft is now laying down that message for authenticating Exchange and Skype for Business users, both online and on-premises.

Microsoft had pushed its "hybrid" marketing message for quite a long time, by which it typically meant organizations had the choice of using Microsoft's servers on premises or they could use the servers housed in Microsoft's datacenters. The hybrid modern authentication term, though, seems to be a new name-dropper from Microsoft. It's a short-hand reference to the Azure Active Directory cloud-based identity and access management service.

Microsoft is signaling that Azure AD now supports Exchange or Skype for Business, both online and on premises, or in various combinations, and it's all for real this time.

Supported Products
Quite a lot of the technical detail behind enabling hybrid modern authentication was explained back in May by Microsoft's Exchange team in this "Deep Dive" article, which described Microsoft's shift toward using the Open Authorization (OAuth) protocol after moving away from DAuth. The use of OAuth aligned the authentication process to be more in tune with open standards. That said, DAuth doesn't necessarily go away under a hybrid modern authentication scenario.

"Remember OAuth is only for on-premises <-> Exchange Online users, so you might very well end up with both being used if you are both hybrid with Exchange Online and have partner relationships with other organizations," Microsoft's Deep Dive article explained.

The article offered a technical explanation about why Microsoft considers its cloud-based authentication scheme to be secure for organizations to use. It was followed up last week by "Announcing Hybrid Modern Authentication for Exchange On-Premises," another Exchange team discussion, but with practical advice for IT pros on how to enable hybrid modern authentication for Exchange Server when used on premises. It noted that hybrid modern authentication is only possible when using Exchange Server 2013 with Cumulative Update 19 or Exchange Server 2016 with Cumulative Update 8.

In a separate article, Microsoft explained that hybrid modern authentication is possible for Skype for Business Server 2015 with the May cumulative update in place.

Users of Exchange Server 2010 users are out of luck. There's no path to hybrid modern authentication for that product because the Hybrid Configuration Wizard "won't let you enable OAuth if E2010 exists," the article explained.

Azure AD Dependency
The whole hybrid modern authentication scheme for both Exchange and Skype for Business depends on using Azure AD organization wide. Organizations can't use Azure AD for just some end users and expect the scheme to work for everyone, according to the article.

Microsoft claims that hybrid modern authentication is "more secure as passwords are no longer being sent from client to server once the user is authenticated." And despite the complexity in setting up hybrid modern authentication, Microsoft claims that it makes the authentication flow "exactly the same for both your cloud and on-premises users." The use of hybrid modern authentication also results in "an improved user experience as there will be less authentication prompts," the article claimed.

Hybrid modern authentication also lights up "security features such as Multi-Factor Authentication (MFA), Cert-Based Authentication (CBA), AAD Conditional Access (CA) and Intune Mobile Application Management (MAM) for all their users, both those homed online as well as those homed on-prem," Microsoft's announcement explained.

Microsoft's hybrid modern authentication for Exchange article specified that the scheme will work if IT pros carry out the exact steps specified. Most of the changes to get to hybrid modern authentication can be done without cutting off end users or entailing off-hours work, the article claimed.

The last two Exchange steps entail running a couple of scripts using "true" values. The setup can be reversed later by running those scripts with "false" values if things go wrong, the Exchange team claimed.