-description: Learn how to configure Skype for Business on-premises to use Hybrid Modern Authentication (HMA), offering you more secure user authentication and authorization.

- - seo-marvel-apr2020

- - has-azure-ad-ps-ref

-# How to configure Skype for Business on-premises to use Hybrid Modern Authentication

-*This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.*

-Modern Authentication is a method of identity management that offers more secure user authentication and authorization, is available for Skype for Business server on-premises and Exchange server on-premises, and split-domain Skype for Business hybrids.

-> [!IMPORTANT]

-> Would you like to know more about Modern Authentication (MA) and why you might prefer to use it in your company or organization? Check [this document](hybrid-modern-auth-overview.md) for an overview. If you need to know what Skype for Business topologies are supported with MA, that's documented here!

-**Before we begin**, I use these terms:

-Also, if a graphic in this article has an object that's grayed-out or dimmed that means the element shown in gray **isn't** included in MA-specific configuration.

-## Read the summary

-This summary breaks down the process into steps that might otherwise get lost during the execution, and is good for an overall checklist to keep track of where you are in the process.

-1. First, make sure you meet all the prerequisites.

-1. Since many **prerequisites** are common for both Skype for Business and Exchange, [see the overview article for your pre-req checklist](hybrid-modern-auth-overview.md). Do this *before* you begin any of the steps in this article.

-1. Collect the HMA-specific info you need in a file, or OneNote.

-1. Turn ON Modern Authentication for EXO (if it isn't already turned on).

-1. Turn ON Modern Authentication for SFBO (if it isn't already turned on).

-1. Turn ON Hybrid Modern Authentication for Exchange on-premises.

-1. Turn ON Hybrid Modern Authentication for Skype for Business on-premises.

-These steps turn on MA for SFB, SFBO, EXCH, and EXO - that is, all the products that can participate in an HMA configuration of SFB and SFBO (including dependencies on EXCH/EXO). In other words, if your users are homed in/have mailboxes created in any part of the Hybrid (EXO + SFBO, EXO + SFB, EXCH + SFBO, or EXCH + SFB), your finished product looks like this:

-

-As you can see, there are four different places to turn on MA! For the best user experience, we recommend you turn on MA in all four of these locations. If you can't turn MA on in all these locations, adjust the steps so that you turn on MA only in the locations that are necessary for your environment.

-See the [Supportability topic for Skype for Business with MA](/skypeforbusiness/plan-your-deployment/modern-authentication/topologies-supported) for supported topologies.

-> [!IMPORTANT]

-> Double-check that you've met all the prerequisites before you begin. You'll find that information in [Hybrid modern authentication overview and prerequisites](hybrid-modern-auth-overview.md).

-## Collect all HMA-specific info you'll need

-After you've checked that you meet the [prerequisites](hybrid-modern-auth-overview.md) to use Modern Authentication (see the previous note), you should create a file to hold the info you'll need for configuring HMA in the steps ahead. Examples used in this article:

- - Ex. contoso.com (is federated with Office 365)

- - The GUID that represents your Office 365 tenant (at the login of contoso.onmicrosoft.com).

-You need internal and external web service URLs for all SfB 2015 pools deployed. To obtain these, run the following command from Skype for Business Management Shell:

-```powershell

-Get-CsService -WebServer | Select-Object PoolFqdn, InternalFqdn, ExternalFqdn | FL

-```

-If you're using a Standard Edition server, the internal URL would be blank. In this case, use the pool fqdn for the internal URL.

-## Turn on Modern Authentication for EXO

-Follow the instructions here: [Exchange Online: How to enable your tenant for modern authentication.](https://social.technet.microsoft.com/wiki/contents/articles/32711.exchange-online-how-to-enable-your-tenant-for-modern-authentication.aspx)

-## Turn on Modern Authentication for SFBO

-Follow the instructions here: [Skype for Business Online: Enable your tenant for modern authentication](https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx).

-## Turn on Hybrid Modern Authentication for Exchange on-premises

-Follow the instructions here: [How to configure Exchange Server on-premises to use Hybrid Modern Authentication](configure-exchange-server-for-hybrid-modern-authentication.md).

-## Turn on Hybrid Modern Authentication for Skype for Business on-premises

-<a name='add-on-premises-web-service-urls-as-spns-in-azure-active-directory'></a>

-### Add on-premises web service URLs as SPNs in Microsoft Entra ID

-Now you need to run commands to add the URLs (collected earlier) as Service Principals in SFBO.

-> [!NOTE]

-> Service principal names (SPNs) identify web services and associate them with a security principal (such as an account name or group) so that the service can act on the behalf of an authorized user. Clients authenticating to a server make use of information that's contained in SPNs.

-1. First, connect to Microsoft Entra ID with [these instructions](/powershell/azure/active-directory/overview).

-2. Run this command, on-premises, to get a list of SFB web service URLs.

- The AppPrincipalId begins with `00000004`. This corresponds to Skype for Business Online.

- Take note of (and screenshot for later comparison) the output of this command, which includes an SE and WS URL, but mostly consist of SPNs that begin with `00000004-0000-0ff1-ce00-000000000000/`.

- ```powershell

- Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 | Select -ExpandProperty ServicePrincipalNames

- ```

-3. If the internal **or** external SFB URLs from on-premises are missing (for example, https://lyncwebint01.contoso.com and https://lyncwebext01.contoso.com) we'll need to add those specific records to this list.

- Be sure to replace *the example URLs* with your actual URLs in the Add commands!

- ```powershell

- $x= Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000

- $x.ServicePrincipalnames.Add("https://lyncwebint01.contoso.com/")

- $x.ServicePrincipalnames.Add("https://lyncwebext01.contoso.com/")

- Set-MSOLServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames

- ```

-4. Verify your new records were added by running the **Get-MsolServicePrincipal** command from step 2 again, and looking through the output. Compare the list or screenshot from before to the new list of SPNs. You can also screenshot the new list for your records. If you were successful, you can view the two new URLs in the list. Going by our example, the list of SPNs will now include the specific URLs https://lyncwebint01.contoso.com and https://lyncwebext01.contoso.com/.

-### Create the EvoSTS Auth Server Object

-Run the following command in the Skype for Business Management Shell.

-```powershell

-New-CsOAuthServer -Identity evoSTS -MetadataURL https://login.windows.net/common/FederationMetadata/2007-06/FederationMetadata.xml -AcceptSecurityIdentifierInformation $true -Type AzureAD

-```

-### Enable Hybrid Modern Authentication

-This is the step that actually turns on MA. All the previous steps can be run ahead of time without changing the client authentication flow. When you're ready to change the authentication flow, run this command in the Skype for Business Management Shell.

-```powershell

-Set-CsOAuthConfiguration -ClientAuthorizationOAuthServerIdentity evoSTS

-```

-## Verify

-Once you enable HMA, a client's next login will use the new auth flow. Just turning on HMA wouldn't trigger a reauthentication for any client. The clients reauthenticate based on the lifetime of the auth tokens and/or certs they have.

-To test that HMA is working after you've enabled it, sign out of a test SFB Windows client and be sure to select 'delete my credentials'. Sign in again. The client should now use the Modern Auth flow and your login will now include an **Office 365** prompt for a 'Work or school' account, seen right before the client contacts the server and logs you in.

-You should also check the 'Configuration Information' for Skype for Business Clients for an 'OAuth Authority'. To do this on your client computer, hold down the CTRL key at the same time you right-click the Skype for Business Icon in the Windows Notification tray. Select **Configuration Information** in the menu that appears. In the 'Skype for Business Configuration Information' window that appears on the desktop, look for the following:

-You should also hold down the CTRL key at the same time you right-click the icon for the Outlook client (also in the Windows Notifications tray) and select 'Connection Status'. Look for the client's SMTP address against an AuthN type of 'Bearer\*', which represents the bearer token used in OAuth.

-## Related articles

-[Link back to the Modern Authentication overview](hybrid-modern-auth-overview.md).

-Do you need to know how to use Modern Authentication for your Skype for Business clients? We've got steps here: [Hybrid modern authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers](./hybrid-modern-auth-overview.md).

- - PowerShell

- - Ent_Office_Other

- - O365ITProTrain

- - has-azure-ad-ps-ref

-description: "Learn how to use PowerShell to maintain membership in Microsoft 365 groups."

-# Maintain security group membership with PowerShell

-*This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.*

-You can use PowerShell for Microsoft 365 as an alternative to the Microsoft 365 admin center to maintain security group membership in Microsoft 365.

->[!Note]

->[Learn how to maintain Microsoft 365 group membership](../admin/create-groups/add-or-remove-members-from-groups.md) with the Microsoft 365 admin center. For a list of additional resources, see [Manage users and groups](/admin).

->

-## Use the Azure Active Directory PowerShell for Graph module

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).

-### Add or remove user accounts as members of a group

-**To add a user account by its UPN**, fill in the user account User Principal Name (UPN) (example: belindan@contoso.com) and the security group display name, removing the ΓÇ£<ΓÇ¥ and ΓÇ£>ΓÇ¥ characters, and run these commands in the PowerShell window or the PowerShell Integrated Script Environment (ISE).

-```powershell

-$userUPN="<UPN of the user account to add>"

-$groupName="<display name of the group>"

-Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectID -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID

-```

-**To add a user account by its display name**, fill in the user account display name (example: Belinda Newman) and the group display name and run these commands in the PowerShell window or the PowerShell ISE.

-```powershell

-$userName="<display name of the user account to add>"

-$groupName="<display name of the group>"

-Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.DisplayName -eq $userName }).ObjectID -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID

-```

-**To remove a user account by its UPN**, fill in the user account UPN (example: belindan@contoso.com) and the group display name and run these commands in the PowerShell window or the PowerShell ISE.

-```powershell

-$userUPN="<UPN of the user account to remove>"

-$groupName="<display name of the group>"

-Remove-AzureADGroupMember -MemberId (Get-AzureADUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectID -ObjectID (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID

-```

-**To remove a user account by its display name**, fill in the user account display name (example: Belinda Newman) and the group display name and run these commands in the PowerShell window or the PowerShell ISE.

-```powershell

-$userName="<display name of the user account to remove>"

-$groupName="<display name of the group>"

-Remove-AzureADGroupMember -MemberId (Get-AzureADUser | Where { $_.DisplayName -eq $userName }).ObjectID -ObjectID (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID

-```

-### Add or remove groups as members of a group

-Security groups can contain other groups as members. Microsoft 365 groups, however, cannot. This section contains PowerShell commands to add or remove groups only for a security group.

-**To add a group by its display name**, fill in the display name of the group youΓÇÖre going to add and the display name of the group that will contain the member group and run these commands in the PowerShell window or the PowerShell ISE.

-```powershell

-$groupMemberName="<display name of the group to add>"

-$groupName="<display name of the group that will contain the member group>"

-Add-AzureADGroupMember -RefObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupMemberName }).ObjectID -ObjectID (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID

-```

-**To remove a group by its display name**, fill in the display name of the group youΓÇÖre going to remove and the display name of the group that will contain the member group and run these commands in the PowerShell window or the PowerShell ISE.

-```powershell

-$groupMemberName="<display name of the group to add>"

-$groupName="<display name of the group that will contain the member group>"

-Remove-AzureADGroupMember -MemberId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupMemberName }).ObjectID -ObjectID (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectID

-```

-## Use the Microsoft Azure Active Directory module for Windows PowerShell

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).

-### Add or remove user accounts as members of a group

-**To add a user account by its UPN**, fill in the user account User Principal Name (UPN) (example: belindan@contoso.com) and the group display name, removing the ΓÇ£<ΓÇ¥ and ΓÇ£>ΓÇ¥ characters, and run these commands in the PowerShell window or the PowerShell ISE.

-```powershell

-$userUPN="<UPN of the user account to add>"

-$groupName="<display name of the group>"

-Add-MsolGroupMember -GroupMemberObjectId (Get-MsolUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectID -GroupObjectId (Get-MsolGroup | Where { $_.DisplayName -eq $groupName }).ObjectID

-```

-**To add a user account by its display name**, fill in the user account display name (example: Belinda Newman) and the group display name and run these commands in the PowerShell window or the PowerShell ISE.

-```powershell

-$userName="<display name of the user account to add>"

-$groupName="<display name of the group>"

-Add-MsolGroupMember -GroupMemberObjectId (Get-MsolUser | Where { $_.DisplayName -eq $userName }).ObjectID -GroupObjectId (Get-MsolGroup | Where { $_.DisplayName -eq $groupName }).ObjectID

-```

-**To remove a user account by its UPN**, fill in the user account UPN (example: belindan@contoso.com) and the group display name and run these commands in the PowerShell window or the PowerShell ISE.

-```powershell

-$userUPN="<UPN of the user account to remove>"

-$groupName="<display name of the group>"

-Remove-MsolGroupMember -GroupMemberObjectId (Get-MsolUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectID -GroupObjectId (Get-MsolGroup | Where { $_.DisplayName -eq $groupName }).ObjectID

-```

-**To remove a user account by its display name**, fill in the user account display name (example: Belinda Newman) and the group display name and run these commands in the PowerShell window or the PowerShell ISE.

-```powershell

-$userName="<display name of the user account to remove>"

-$groupName="<display name of the group>"

-Remove-MsolGroupMember -GroupMemberObjectId (Get-MsolUser | Where { $_.DisplayName -eq $userName }).ObjectID -GroupObjectId (Get-MsolGroup | Where { $_.DisplayName -eq $groupName }).ObjectID

-```

-### Add or remove groups as members of a group

-Security groups can contain other groups as members. Microsoft 365 groups, however, cannot. This section contains PowerShell commands to add or remove groups only for a security group.

-**To add a group by its display name**, fill in the display name of the group youΓÇÖre going to add and the display name of the group that will contain the member group and run these commands in the PowerShell window or the PowerShell ISE.

-```powershell

-$groupMemberName="<display name of the group to add>"

-$groupName="<display name of the group that will contain the member group>"

-Add-MsolGroupMember -GroupMemberObjectId (Get-MsolGroup | Where { $_.DisplayName -eq $groupMemberName }).ObjectID -GroupObjectId (Get-MsolGroup | Where { $_.DisplayName -eq $groupName }).ObjectID -GroupMemberType Group

-```

-**To remove a group by its display name**, fill in the display name of the group youΓÇÖre going to remove and the display name of the group that will contain the member group and run these commands in the PowerShell window or the PowerShell ISE.

-```powershell

-$groupMemberName="<display name of the group to add>"

-$groupName="<display name of the group contains the member group>"

-Remove-MsolGroupMember -GroupMemberObjectId (Get-MsolGroup | Where { $_.DisplayName -eq $groupMemberName }).ObjectID -GroupObjectId (Get-MsolGroup | Where { $_.DisplayName -eq $groupName }).ObjectID -GroupMemberType Group

-```

-## See also

-[Manage Microsoft 365 user accounts, licenses, and groups with PowerShell](manage-user-accounts-and-licenses-with-microsoft-365-powershell.md)

-

-[Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md)

-

-[Getting started with PowerShell for Microsoft 365](getting-started-with-microsoft-365-powershell.md)

- - [Maintain security group membership with PowerShell](maintain-group-membership-with-microsoft-365-powershell.md)

-See [Maintain security group membership](maintain-group-membership-with-microsoft-365-powershell.md) to manage group membership with PowerShell.

-|Microsoft 365 Backup (Preview) |The number of gigabytes (GB) of data backed up. |$0.15/GB/month (shows on invoice as $0.005/GB/day)|