1.3 Ensure modern authentication for Skype for Business Online is enabled

Information

Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. When you enable modern authentication in Skype for Business, the Skype for Business client uses modern authentication to log in to Skype for Business Online.

NOTE: Skype for business is deprecated as of July 31, 2021 although these settings may still be valid for a period of time. See the the link in the reference for more information.

Rationale:

Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by Skype for Business Online clients. Enabling modern authentication for Skype for Business Online ensures strong authentication mechanisms are used when establishing sessions between clients and Skype for Business Online.

Impact:

Implementation of modern authentication for Skype of Business Online will require users to authenticate to Skype for Business Online using modern authentication. This may cause a minor impact to typical user behavior.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To enable modern authentication, use the Skype for Business Online PowerShell Module:

Connect to Skype for Business Online using the following Powershell commands:

Import-Module MicrosoftTeams Connect-MicrosoftTeams
$sfbSession = New-CsOnlineSession
Import-PSSession $sfbSession

Run the following PowerShell command to verify that modern authentication is enabled:

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|16.3

Plugin: microsoft_azure

Control ID: 33297687d3192c48b4c4707d86039d74d8f41eaca0b0ef70172d69ba87514f12