Tuesday, October 9, 2018

Enabling modern authentication (ADAL) on Skype for Business

By default, Skype for Business requires users to use App Passwords for logging into Skype for Business.

I'm stealing the info from this post from this excellent tutorial:
https://www.ronnipedersen.com/2017/07/11/enable-modern-authentication-for-skype-for-business-online

I'm simplifying for my future use.  Important note - the DNS records as defined by Microsoft should be in place before going through this process.  Particularly, there should be a CNAME record pointing lyncsicover.domainname.com to webdir.online.lync.com.

First, download the Visual Basic C++ 2017 redistributable from here:
https://aka.ms/vs/15/release/VC_redist.x64.exe

This is needed for the Skype for Business Powershell installer.

Then download the Skype for Business Powershell installer itself:
https://download.microsoft.com/download/2/0/5/2050B39B-4DA5-48E0-B768-583533B42C3B/SkypeOnlinePowerShell.Exe


Then run PowerShell and run these commands:
$sfboSession = New-CsOnlineSession -UserName user@domain.com
Import-PSSession $sfboSession

Then run:
Get-CsOAuthConfiguration

You'll find a line for "ClientAdalAuthOverride" which will likely show "disabled" which is the behavior we want to change.

Run this command:
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

This process allows ADAL (aka modern authentication).  The tutorial I am replicating says this change can take up to 24 hours to take effect, but it often takes effect within one hour.