With more and more customers adopting the Enterprise Mobility Suite I am encountering customers that run into issues with turning on Microsoft Multi-Factor Authentication (MFA) within Office365 and not being fully prepared for how that impacts the Skype for Business client. Specifically, I am referring to customers that have moved to Exchange Online and have Skype for Business Server installed on their premises. Why might we enable MFA? As the name implies you want to have multiple layers of security to ensure a user is really that user. MFA is a feature provided by Modern authentication which brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms. This enables sign-in features such as Multi-Factor Authentication (MFA).
Issue
Any pre-office 2016 Skype client is not ADAL/MFA aware and as such when you sign onto Skype for Business or Lync Server, the client fails to connect to the Exchange mailbox for clients that have MFA enabled. So you have two options here. You can have the users request and enter an MFA password for their Skype client or you can enable support for the Office 2013 user.
Here is an example of an app password:
bifvmvcpqwdbpsyz
Clearly this would be a hard password to guess which makes it secure. However, it’s also a tedious one to have to enter into your client or phone.
AllowAdalForNonLyncIndependentOfLync
That’s certainly a mouthful! The Allow AllowAdalForNonLyncIndependentOfLync setting in Skype for Business allows you to provide the Modern Auth experience for users of Office 2013 so they don’t need to use the MFA password in their client.
KB3082803 goes into detail on how to do this.
Method 1: Use Group Policy
Note The option to enable this setting through Group Policy is available only after you apply the July, 2015 Public Update (PU).
For Skype for Business or Lync 2013 clients 15.0* (available from the September 2015 PU only):
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Lync
For Skype for Business or Lync 2013 clients 16.0*:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync
Method 2: As an in-band setting on the Lync server
Note This option is available through the September PU only.
To enable the in-band setting on the Lync server, run the following cmdlet:
$a = New-CsClientPolicyEntry -name AllowAdalForNonLyncIndependentOfLync -value "True"
Set-CsClientPolicy -Identity Global -PolicyEntry @{Add=$a}
To enable Modern Authentication for Office 2013 applications on a Windows-based device, you must set an additional registry key:
Registry key |
Type |
Value |
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL |
REG_DWORD |
1 |
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version |
REG_DWORD |
1 |
What about Office 2016?
If you are running Office 2016 then you will already have support for Modern Auth so you will not have to make any changes to your environment. If you support both Office 2013 and 2016 then you will need to follow the steps above.
Comments