Presentation is loading. Please wait.

Presentation is loading. Please wait.

Best in Class Authentication Skype for Business, Teams

Published byClare Ray Modified over 6 years ago

Similar presentations

Presentation on theme: "Best in Class Authentication Skype for Business, Teams"— Presentation transcript:

1 Best in Class Authentication Skype for Business, Teams
8/1/2018 7:03 PM BRK4001 Best in Class Authentication Skype for Business, Teams Natasha Desai Senior Program Manager © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Topics Terms, Modern Auth features What is supported currently?
8/1/2018 7:03 PM Topics Terms, Modern Auth features What is supported currently? What is coming in the future? Authentication Flow Details Microsoft Teams and Modern Auth © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 8/1/2018 7:03 PM Terms Modern Auth Microsoft’s implementation of OAUTH 2.0 for client/server authentication ADAL “Active Directory Authentication Library” – client library used to enable MA CBA, MFA, CA, MAM Features enabled when use MA. MA is the prereq. CBA Cert Based Auth – allows user to login without a Username/Password. IT admin must install a user based cert on the device. MFA Multi Factor Auth Can be enabled for all apps via O365 Can be enabled for a single app using CA (need Intune license) CA Conditional Access Allows the IT admin to only allow access based on certain conditions, usually location based or device based. For example, only allow external devices with MFA. MDM/MAM Mobile Device Management/Mobile Application Management Example: Allow copy/paste for managed apps only, wipe device © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Modern Auth – High Level Picture
8/1/2018 7:03 PM Modern Auth – High Level Picture Q: Does SfB support X (some modern auth feature)? A: Depends on what feature, for what client for what topology. Features MFA CBA CA MAM Clients Win Desktop Mac iOS Android Topologies Online Hybrid Onprem Most important, most complicated © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 What is supported today?
8/1/2018 7:03 PM What is supported today? Supportability Article © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Clients and MA Features
Scenario Windows Desktop Mac iOS Android WinPhone Tenant Remote PS* MA protocol ü MFA CBA ü(only for domain joined machines) CA (via Intune) MAM (via Intune) *TRPS – will use MA regardless of the tenant MA switch

7 Topologies Important: Must consider topo for Exchange as well as SfB
8/1/2018 7:03 PM Topologies Important: Must consider topo for Exchange as well as SfB SFB client is a client of SfB server and Exchange (EWS) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Topologies Online Fully Supported ü SfB Online EX Online
8/1/2018 7:03 PM Topologies Online Fully Supported ü EXO SFBO EXCH SFB Exchange Skype for Business AUTH MA: on SfB Online EX Online MA ON for both © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Topologies Hybrid Partially Supported ü “Hybrid” means
8/1/2018 7:03 PM Partially Supported ü Topologies Hybrid “Hybrid” means Exchange and/or SfB is configured for hybrid (run HCW, set up SharedSIPAddress) Single tenant with users in online and onprem Variables to consider for Hybrid MA Exchange hybrid? SfB hybrid? Where is MA ON? (SfBO, EXO, SfBonprem, Exonprem) Support hybrid with MA ON for online, OFF for onprem May get multiple prompts Need regkey for win desktop Online users can use MA features Supportability article explains all hybrid flavors supported EXO SFBO EXCH SFB Exchange Skype for Business AUTH MA: on © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Topologies Onprem Limited Support ü SfB Onprem EX Onprem MA ON for SfB
8/1/2018 7:03 PM Limited Support ü Topologies Onprem EXO SFBO EXCH SFB Exchange Skype for Business AUTH MA: on SfB Onprem EX Onprem MA ON for SfB “Limited” because Only Win Desktop client (mobile not supported) No Exchange integration © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 8/1/2018 7:03 PM What is coming? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 What MA support is coming?
8/1/2018 7:03 PM What MA support is coming? Full support for hybrid Full support for onprem EXO SFBO EXCH SFB Exchange Skype for Business AUTH MA: on EXO SFBO EXCH SFB Exchange Skype for Business AUTH MA: on Notes Will provide support for all supported MA features for onprem as well as online users. Design for these is different than previous attempts. Important to understand how it works. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Announcing…. Public Preview!!
8/1/2018 7:03 PM Announcing…. Public Preview!! SfB Hybrid + EXO To register: EXO SFBO EXCH SfB 2015 Exchange Skype for Business AUTH MA: on © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Design for Hybrid MA Currently in TAP EXO SFBO EXCH SFB Exchange
8/1/2018 7:03 PM Design for Hybrid MA EXO SFBO EXCH SFB Exchange Skype for Business AUTH MA: on Currently in TAP © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Traditional Hybrid Architecture
8/1/2018 7:03 PM Traditional Hybrid Architecture O365 Hybrid Set Up EXO knows about Exchange Onprem SfBO knows about SfB Onprem Federated identity between Onprem AD/ADFS and AAD All users are synced to AAD Auth Specific First point of auth is Onprem server (AutoDiscover, LyncDiscover point to Onprem) Online servers trust and get auth tokens from AAD Onprem servers trust and get tokens from AD Might have MA On for online EXOnline AAD authZ server = AAD evoSTS authZ server = AAD SfBOnline All users syncing online federated On premises AAD Connect ADFS Lync/SfB authZ server = AD AD Exchange authZ server = AD Orange arrows are Trust flows, not transactional flows © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Hybrid Architecture with MA
8/1/2018 7:03 PM Hybrid Architecture with MA O365 Auth Onprem servers get auth tokens from same place as Online servers (AAD) Modern Auth is enabled for all 4 servers Advantages Simpler, more consistent auth flow Fewer prompts for users since there is a single STS (AAD) Do not need latest version of ADFS Will work with any O365 supported STS MA:on EXOnline AAD authZ server = AAD MA:on evoSTS authZ server = AAD SfBOnline All users syncing online AAD is authorization server for both online and Onprem federated authZ server = AAD authZ server = AAD On premises AAD Connect ADFS MA:on SfB 2015 MA:on AD Exchange Orange arrows are Trust flows, not transactional flows © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Hybrid Architecture with MA
8/1/2018 7:03 PM Hybrid Architecture with MA Auth Flow (User hosted online for EX and SFB) Note: Hybrid auth flow always starts with onprem since AutoD, LyncD point to onprem SfB Login LyncDiscover sends client to SfB Onprem SfB server says “get token from AAD”, redirects. Since AAD federated with ADFS, sends client to ADFS. User enters creds, ADFS verifies ADFS gives token to client, redirect to AAD Client goes to AAD with ADFS token AAD gives client access and refresh token Client gives client access token to SfB Onprem SfB validates the token signing authority with AAD SfB Onprem validates user, redirects to SfBO SfBO redirects client to AAD Client gives refresh token to AAD. AAD gives client access token to SfB client Client gives client access token to SfBO User logged in to SfB, SfB cert given to SfB client O365 MA:on EXOnline AAD MA:on evoSTS SfBOnline 10 11 9 13 12 14 7 2 6 All users syncing online 8a 1 5 3 8 On premises AAD Connect ADFS MA:on 4 SfB 2015 MA:on AD Ex 2013, 2016 Trust flow Transaction flow © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Hybrid Architecture with MA
8/1/2018 7:03 PM Hybrid Architecture with MA O365 Auth Steps (User hosted online for EX and SFB) Note: Hybrid auth flow always starts with onprem since autoD, LyncD point to onprem MA:on EXOnline AAD 20 MA:on EWS login AutoDiscover sends client to Exchange onprem Exch server says “get token from AAD”, redirects. Client sends refresh token to AAD. AAD gives client access token to SfB client Client gives client access token to Exchange onprem Exchange onprem validates user, redirects to EXO EXO redirects client to AAD Client gives refresh token to AAD. Client gives client access token to EXO User logged in to Exchange 24 evoSTS 16,17 SfBOnline 21,22 18 All users syncing online 23 On premises 15 AAD Connect MA:on ADFS 19 SfB 2015 MA:on AD EX 2013, 2016 Trust flow Transaction flow © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Tokens, certs, lifetimes
8/1/2018 7:03 PM Tokens, certs, lifetimes AAD Modern Auth Tokens Client access = 1 hour Refresh token = 90 days by default (configurable) SfB Cert Online server = 8 hour Onprem server = 180 days by default (configurable) Re-auth Process Re-auth triggered for user when SfB cert expires AND refresh token expires © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Turning HMA ON Global setting, cannot do it per user/pool, etc.
8/1/2018 7:03 PM Turning HMA ON Global setting, cannot do it per user/pool, etc. ADDs MA to the list of client auth protocols the server supports Does not disable older protocols Steps 2 cmdlets for Exchange 2 cmdlets for SfB Client behavior when setting turned ON Next time client decides it needs to start an auth flow (depending on cert lifetime), will use the new MA flow Can force new auth flow by doing “delete my creds” Clients that do not support MA will continue to do legacy auth © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 HMA PreReqs Federated Identity with AAD, all users syncing to AAD
8/1/2018 7:03 PM HMA PreReqs Federated Identity with AAD, all users syncing to AAD Skype for Business Server Server 2015 CU5+, no coexistence with older versions Exception: SBA can be on current version (which is based on Lync 2013) Exchange Server 2013 (CU15+) 2016 (CU5+) No Exchange 2010 Cannot be in a resource forest (known issue) Onprem STS 2012 R2 AD FS (3.0) and above O365 3rd party STS No special licensing needed © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 HMA FAQ What clients do not support MA?
8/1/2018 7:03 PM HMA FAQ What clients do not support MA? LRS, Rigel, Surface Hub, IPPhones, Lync for Mac, Lync 2010 Will HMA Support a third-party STS Onprem? HMA will support any O365 supported third party STS Onprem Do any extra ports need to be enabled to allow onprem to talk to AAD? Yes. All FEs need access to the internet to talk to AAD. Do I need to sync all my users to AAD or only the ones that will be homed online? You need to sync all the users to AAD regardless of where the user is homed. This is a requirement for any SfB or Exchange hybrid configuration regardless of how Modern Auth is configured. Without this, the SfB and Exchange functionality will not work correctly. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Design for Onprem MA (with AAD)
8/1/2018 7:03 PM Design for Onprem MA (with AAD) EXO SFBO EXCH SFB Exchange Skype for Business AUTH MA: on Currently in TAP © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 Architecture for Onprem MA (with AAD)
8/1/2018 7:03 PM Architecture for Onprem MA (with AAD) O365 Auth Flow Same as HMA flow w/o redirection to online PreReqs Same as HMA Licensing and Setup Need at least one user (admin) with O365 license assigned Exchange: run HCW, do not move any users to online SfB: do not need to do full hybrid setup Add onprem web service URLs to Service Principals for EXO and SFBO Same cmdlets as HMA. EXOnline AAD evoSTS SfBOnline All users syncing online On premises AAD Connect MA:on ADFS SfB 2015 MA:on AD EX 2013, 2016 Trust flow Transaction flow © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 Teams and Modern Auth 8/1/2018 7:03 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 Teams and MA ü Topology: Online only Clients, MA Features: Desktop
8/1/2018 7:03 PM Teams and MA Topology: Online only Clients, MA Features: Desktop Mobile Windows Web Mac Web Scenario Windows Mac iOS Android WinPhone Edge IE Chrome Firefox MA protocol ü MFA CBA CA MAM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 8/1/2018 7:03 PM Wrap Up © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 Resources SfB HMA Public Preview Other relevant Ignite sessions
8/1/2018 7:03 PM Resources SfB HMA Public Preview Other relevant Ignite sessions Modern Authentication for Exchange, Fri morning Troubleshooting Office 365 Identity, Thurs 9/28 4pm Documents Skype for Business Topologies supported with Modern Authentication Desktop client comparison tables for Skype for Business Mobile client comparison tables for Skype for Business © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 Please evaluate this session
Tech Ready 15 8/1/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 8/1/2018 7:03 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Best in Class Authentication Skype for Business, Teams"

Similar presentations

Office 365 Upsell Paths.

Office 365 Upsell Paths.
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Identity; What you need to know to be in the Microsoft Cloud

Identity; What you need to know to be in the Microsoft Cloud
Success through People with LinkedIn and O365

Success through People with LinkedIn and O365
Leverage the O365 Task Ecosystem with Microsoft To-Do and Planner

Leverage the O365 Task Ecosystem with Microsoft To-Do and Planner
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Azure File Sync Setup, configuration and management

Azure File Sync Setup, configuration and management
5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.

5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.
Microsoft 2016 6/4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,

Microsoft /4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,
6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee Welly.Lee@microsoft.com.

6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
Simplify and Organize with Microsoft OneNote

Simplify and Organize with Microsoft OneNote
Microsoft 2016 6/17/2018 4:24 AM BRK4012 Dive deep on Skype Web SDK & Skype for Business App SDK - Build apps across Web, IOS & Android Srividhya Chandrasekaran Amit.

Microsoft /17/2018 4:24 AM BRK4012 Dive deep on Skype Web SDK & Skype for Business App SDK - Build apps across Web, IOS & Android Srividhya Chandrasekaran Amit.
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
Modernizing your Remote Access

Modernizing your Remote Access
Where is your Windows support career going wrong?

Where is your Windows support career going wrong?
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
Do more with Microsoft Word and Office 365

Do more with Microsoft Word and Office 365
Microsoft Virtual Academy

Microsoft Virtual Academy
Decoding audit events in Microsoft Office 365

Decoding audit events in Microsoft Office 365

Similar presentations

Ads by Google