Info about the AllowAdalForNonLyncIndependentOfLync setting in Skype for Business, Lync 2013, and Exchange Online

INTRODUCTION

This article contains information about the AllowAdalForNonLyncIndependentOfLync setting in Skype for Business 2016, Skype for Business 2015, Lync 2013, and Exchange Online.

MORE INFORMATION

The information in this article helps IT and Office 365 administrators enable the following scenarios:
  • Get Lync 2013 and Skype for Business users homed on Skype for Business Server 2015 or Lync Server 2013 on-premises
  • Set up mailboxes in Exchange Online in Office 365 by using Modern Authentication and Multi-factor Authentication (MFA) with OAuth
Functionality in the previous environment is as follows:
  • The Skype for Business Desktop and Lync 2013 clients connect to Skype for Business Server by using NTLM or the Kerberos authentication protocol, a user name and password, or Windows Integrated Authentication. 
  • After you sign in, Skype for Business or Lync 2013 connect to the user’s mailbox in Exchange Online by using Exchange Web Services (EWS). Although the EWS service advertises OAuth settings (the authorization URI), the client ignores this and falls back to a non-MFA sign-in by using an OrgID channel. This limits sign-in protocols to a user name and password or to Windows Integrated Authentication.

The new AllowAdalForNonLyncIndependentOfLync setting lets Skype for Business Desktop or Lync 2013 clients unblock MFA with Exchange Online in situations where the IT admin must enforce MFA on Exchange Online. You can apply this new setting by using Group Policy in the Windows registry or as an in-band endpoint policy setting on the Skype for Business Server.

After you apply this setting to the client computer:
  • The Skype for Business Desktop or Lync 2013 clients will connect to Skype for Business Server by using NTLM or the Kerberos authentication protocol. Specifically, a user name and password or Windows Integrated Authentication will be required for a successful connection (as before).
  • After you sign in, Skype for Business or Lync 2013 will connect to Exchange Web Services (EWS). If the EWS service advertises OAuth settings (authorization URI), the client will use MFA. Additionally, if a credentials refresh is necessary, the user will be prompted through the modern authentication dialog box.

Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.


Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

There are two methods by which to apply the AllowAdalForNonLyncIndependentOfLync setting.

Method 1: Use Group Policy

Note The option to enable this setting through Group Policy is available only after you apply the July, 2015 Public Update (PU). 

For Skype for Business or Lync 2013 clients 15.0* (available from the September 2015 PU only):
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Lync
For Skype for Business or Lync 2013 clients 16.0*:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync

Method 2: As an in-band setting on the Lync server

Note This option is available through the September PU only. 

To enable the in-band setting on the Lync server, run the following cmdlet:
$a = New-CsClientPolicyEntry -name AllowAdalForNonLyncIndependentOfLync -value "True"
Set-CsClientPolicy -Identity Global -PolicyEntry @{Add=$a}
Important To enable Modern Authentication for Office 2013 applications on a Windows-based device, you must set an additional registry key:
Registry keyTypeValue
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD1
For more information about the EnableADAL setting, go to the following Microsoft website: For more information about the Skype for Business Desktop client version for Modern Authentication flow (July Update):
3054946 July 14, 2015, update for Lync 2013 (Skype for Business) (KB3054946)
Notes
  • Method 2 is available to customers who have the Lync 2013 (Skype for Business) update published in or after September 2015.
  • The same September update (or later versions) has more Modern Authentication-related fixes. Customers should plan to upgrade to it after it is published.

Still need help? Go to Microsoft Community.
คุณสมบัติ

รหัสบทความ: 3082803 - การตรวจสอบครั้งสุดท้าย: 21 ธ.ค. 2016 - ฉบับแก้ไข: 1

คำติชม