Every time an Office 365 license which includes a Skype For Business Plan is assigned to a user on O365, this user can access Skype for Business from any device.
In some scenarios, customers might want to block the access from specific devices for specific group of users.
By default, Skype for Business Online doesn’t give you the possibility to block specific devices.
Using modern authentication, you can work around this ‘limitation’ by implementing a Conditional Access Policy on Azure AD.
Conditional access is one of the features available with the Microsoft Modern Authentication.
Modern Authentication is the Microsoft oAuth implementation and it uses ADAL which is the Active Directory Authentication Library used in Office 365.
Together with Conditional Access, Modern Authentication enables Muilti Factor Authentication capabilities, Certificate Based Authentication and Mobile Device Management/Mobile Application Management.
Since these features are available only when Modern Authentication is available, Skype for Business Online needs to be enabled for it and the client has to support modern authentication.
You also need at least an Azure AD Premium Plan 1 assigned to the user.
More information about conditional access is available here.
In this example, I created a conditional access rule to block access to Skype for Business for all devices but Android. This rule has been applied to one O365 group.
After enabling the condition access policy (and MF for Skype for Business), the user received the Modern Authentication prompt.
After authenticating the following message is shown to the user.
What happened behind the scenes is the following:
- Skype for Business client tries to authenticate on Skype for Business Online.
- It gets redirected to Azure AD since the Modern Authentication is enabled.
- A credentials prompt is shown to the user.
- After adding the correct credentials, the request is either blocked in case of conditional access, additional sing-in required if MFA is enabled or the client continues to the normal sing-in on the Skype for Business server.
Note:
In my case I don’t have a federated domain.
If you are in a federated domain scenario, the client fist goes to O365 AD, then to the On-Premises ADFS and then back to Online.
Looking at the Fiddler trace, you see the client connecting to Skype for Business online.
You can see that the Modern Authentication is enabled from the mex service
When the user contacts the login.microsoftonline.com and the access is blocked, the HTML page you saw in the screenshot above is returned.
If we consider a scenario where modern authentication is enabled and no conditional rules are implemented, the client is redirected back to login.windows.com where it gets the token and authenticates to Skype for Business online.
In the example above, I create a rule for Skype for Business, but the same mechanism can be enabled for different applications such as Microsoft Teams, Office 365 Yammer, Exchange Online, etc..
Conditional access can also be used to restrict access from a specific network or ca be used to force multi factor authentication.
It can be a solution for those scenarios where restricting the access to a specific service is needed.
Stefano's Blog 