AAD gives client access token to SfB client.SfB on-premises validates the user and redirects user to online.If the user’s SfB account is online, then after step 8, the authentication flow will continue like this: Note that in an SfB hybrid configuration, all DNS records resolve to on-premises, therefore the authentication flow will always start there.
In this scenario the user’s SfB and Exchange applications are on-premises and the user’s sip domain is Federated. Let’s take a look at a common sign on scenario for hybrid SfB. To understand what is needed for HMA to work, it’s helpful to understand the authentication flow. Overview of Authentication Flow with Skype for Business To learn more details on HMA, please take a pause and read Deep Dive: How Hybrid Authentication Really Works.
This sets the foundation for you to leverage AAD security capabilities like two-factor authentication, or Intune Modern Application Management policies. Why would you want HMA? To enable SfB clients to obtain Access and Refresh Oauth tokens from AAD that SfB on-premises servers will accept and allow access. To use HMA with your SfB on-premises, you will need to have on-premises Active Directory federated with Azure Active Directory (AAD). Skype for Business Server (SfB) 20 cumulative update supports Hybrid Modern Authentication (HMA).
