Zoho Banner September 2011

Archive for the ‘Skype for Business’ Category

Here’s something I discovered recently and would like to share with you.  If you are using Skype for Business Online and want to control access to it using Conditional Access policy, you should be aware that under certain circumstances the control can be completely bypassed.

The problem has to do with the fact that Conditional Access only kicks-in when the authentication attempt is from the following:

-A web browser
-A client app that uses modern authentication
-Exchange ActiveSync

Conditional Access is not processed by legacy clients, i.e. those that do not support modern authentication.  For example, the Skype for Business 2015 client (the one that ships with Office 2013, and without modern authentication enabled) cannot interpret the Conditional Access policy and as such will bypass the controls.

Let’s look at this in more detail.

In this example, I have created a new Conditional Access policy specifically for Skype for Business Online.

I want all users to be included in the policy.

001

I only want the policy to apply to Skype for Business Online.

002

And finally, I only want access to be permitted from Hybrid Azure AD devices (i.e. those that are joined to on-premises AD and device registered in AAD).

003

I’ve left all of the other settings within the policy at their defaults.  Once I’ve enabled and saved the policy the next thing to do is test whether it works as expected.

The first test is to determine whether the policy blocks access from the Skype for Business 2016 client (click-to-run version) running on a device that does not meet the Hybrid Azure AD condition.  As expected, the access is denied along with a friendly and reasonably helpful error message (shown below).

004

 

The second test is run from a machine that also doesn’t meet the Hybrid Azure AD condition, but this time the sign-in attempt is from the Skype for Business 2015 client.  In this test, the user is able to sign-in without any problems.

005

The Skype for Business 2015 client is effectively able to completely bypass the Conditional Access control, thereby rendering it effectively useless.  Your Skype for Business Online instance can be accessed from any device from anyone who has valid credentials.  The question is then what you can do about it?  There’s currently no silver bullet to handle this scenario.  Microsoft makes provision to block legacy client apps for SharePoint Online and, to an extent Exchange Online, but there is nothing obviously available for Skype for Business Online.

One workaround is to force MFA (at the Azure AD level) for the users that need to access Skype for Business.  With MFA enabled the user sees the following (spectacularly unhelpful) error when trying to sign-in from the Skype for Business 2015 client.

006

I understand that Microsoft are (as of November 2017) looking a method – currently in private preview – to address issues with legacy clients and Conditional Access, not just for Skype for Business, but across the board.  Watch this space.

 

 

 

I recently had a challenge with a customer that had on-premises Skype for Business (SfB) and were looking to migrate to SfB Online. They did not want to federate the two infrastructures, but instead wanted to undertake a re-pointing of users at a given point in time by modifying the DNS records. When they introduced AAD Connect the default synchronisation included the SfB attributes, which is standard behaviour when AAD Connect detects that the schema extensions for SfB are present in on-premises AD. The presence of SfB-related user attribute values in the synchronisation flow caused SfB Online to detect all existing SfB on-premises users as hybrid. It meant my customer could not assign SfB Online access to synchronised users, which would have been a problem for testing the cut-over. The workaround for this was to modify the AAD Connect synchronisation rules to set the SfB attribute values to null.  The steps implemented to achieve this are shown below.

1. Stop the AAD Connect sync scheduler. 

From an elevated Powershell prompt run the following command

Set-ADSyncScheduler -SyncCycleEnabled $false

2. Open the Synchronisation Rules Editor and create an editable copy of the ‘In from AD – User Lync’ inbound synchronisation rule.

sfb1

 

3. Set the new rule to have a higher precedence (lower numeric value) than the original rule. 

sfb2

 

4. Leave the scoping filter as is, i.e. no change.

sfb3

 

5. Leave the join rules as is, i.e. no change.

sfb4

 

6. Edit the transformation for each of the shown values.  Change the flow type to Expression and the source to Authoritative Null.

sfb5

 

7. Save the rule.

8. Start the AAD Connect Sync scheduler and run a full (initial) synchronisation by running the following Powershell commands:

Set-ADSyncScheduler -SyncCycleEnabled $true
Start-ADSyncSyncCycle -PolicyType Intial

9. Confirm that the synchronised users no longer appear as hybrid users in SfB Online.  Run the following Powershell command:

Get-CsOnlineUser | ft userprincipalname, interpretedusertype -AutoSize

Note. This command requires the Skype for Business Online Windows Powershell Module, available here.

The output should show your synchronised users with an InterpretedUserType of  ‘NoService’.  If any appear as ‘HybridOnPrem’ then the custom synchronisation rule has not taken effect.

The synchronised users should now be available to enable for Skype for Business Online.

 

Hopefully, this has been useful to you.  Let me know if you have any corrections or suggestions for improvements by adding a comment.