This chapter covers Hybrid Modern Authentication (HMA) in Microsoft 365—a critical technology that enables modern authentication protocols (OAuth 2.0 and OpenID Connect) for hybrid deployments where on-premises Exchange and Skype for Business coexist with Exchange Online and Teams. For the MS-102 exam, HMA is a high-weight topic within Objective 2.2 (Implement and manage authentication and access), appearing in approximately 5-8% of questions. You will be expected to understand the architecture, prerequisites, configuration steps, and troubleshooting of HMA, as well as how it interacts with Azure AD Conditional Access and legacy authentication blocking.
Jump to a section
Imagine a large corporate office building with a traditional lock-and-key system (Legacy Auth). Employees must carry physical keys, and if they lose them or need access to a new floor, they must visit security to get a new key cut. This is cumbersome and insecure—keys can be copied or stolen. Now, the company upgrades to a keyless entry system (Modern Auth). Each employee gets a smartphone with an app that generates a one-time code (token) valid for a short time. To enter, they tap their phone on a reader, which checks with a central authentication server that verifies the employee's identity, the phone's trust status, and the access policy for that door. The server issues a temporary access token to the phone, which is then presented to the door reader. The door reader verifies the token's signature and expiration, and grants access. The keyless system also supports multifactor authentication: the employee might also need to scan their fingerprint on the phone. This system is more secure because tokens are short-lived, cannot be easily copied, and support granular access policies. In a hybrid environment, some doors are still old-style (on-premises apps using legacy auth), while others are new (cloud apps using modern auth). The challenge is to have a single identity system that works for both—like a universal key fob that works with both old locks (via an adapter) and new readers. This analogy directly mirrors Hybrid Modern Authentication: modern auth uses tokens (like the one-time codes), supports conditional access policies (like time-of-day restrictions), and requires a federation service (like the central auth server) to bridge on-prem and cloud directories.
What is Hybrid Modern Authentication and Why Does It Exist?
Hybrid Modern Authentication (HMA) is a configuration that allows on-premises Microsoft servers (Exchange Server 2013/2016/2019 and Skype for Business Server 2015/2019) to use modern authentication protocols—specifically OAuth 2.0 and OpenID Connect—for client access, rather than legacy protocols (Basic Auth, NTLM, Kerberos). In a pure cloud environment, Exchange Online and Teams already use modern auth. But in hybrid deployments where some mailboxes remain on-premises, clients like Outlook, Outlook on the web (OWA), and Skype for Business clients need to authenticate against both on-premises and cloud resources. Without HMA, these clients would fall back to legacy protocols, which are less secure and do not support features like Azure AD Conditional Access, Multi-Factor Authentication (MFA), or modern token-based authentication.
HMA bridges this gap by enabling on-premises servers to issue and accept OAuth tokens issued by Azure AD. This means that even when the client is connecting to an on-premises server, the authentication is handled via Azure AD, and the on-premises server trusts the token. This allows organizations to enforce the same authentication policies (e.g., MFA, device compliance) for both on-premises and cloud resources.
How HMA Works Internally – Step Through the Mechanism
The core mechanism of HMA relies on the OAuth 2.0 authorization code flow, with Azure AD as the identity provider (IdP) and the on-premises Exchange or Skype for Business server acting as a resource server that trusts tokens issued by Azure AD. Here is the step-by-step flow for an Outlook client connecting to an on-premises mailbox:
Client Discovery: Outlook contacts Autodiscover (on-premises) and learns that the mailbox is on Exchange Server 2013 CU19+ (or later). The Autodiscover response includes a new element: OAuthUrl pointing to the Azure AD authorization endpoint (e.g., https://login.microsoftonline.com/common/oauth2/authorize).
Client Requests Token: Outlook redirects the user to the Azure AD login page. The user authenticates (possibly with MFA). Azure AD issues an authorization code, which the client exchanges for an access token (JWT). The token includes claims such as aud (audience = the on-premises server's resource ID), iss (Azure AD), and upn (user principal name).
Client Presents Token to On-Premises Server: Outlook sends the access token to the on-premises Exchange server (e.g., via MAPI/HTTP). The server receives the token and must validate it.
On-Premises Server Validates Token: The Exchange server does not validate the token itself; it calls Azure AD to validate the token. Specifically, it uses the On-Behalf-Of flow (OBO) to exchange the client's token for a token with the https://outlook.office365.com audience (the Exchange Online resource). This step ensures the token is valid and allows the on-premises server to access Exchange Online on behalf of the user (e.g., for cross-premises mailbox access).
Token Validation Details: The on-premises server checks the token's signature using Azure AD's public keys (fetched from https://login.microsoftonline.com/common/discovery/keys). It verifies the aud claim matches its own resource ID, the iss claim is Azure AD, and the token has not expired (default 1 hour). It also checks the appid claim to ensure the client application (e.g., Microsoft Office) is authorized.
Access Granted: If validation succeeds, the server grants access to the mailbox. The entire session uses modern auth; no password is sent to the on-premises server.
Key Components, Values, Defaults, and Timers
Prerequisites for Exchange HMA:
Exchange Server 2013 CU19 or later (2016 CU3+, 2019 CU1+).
Skype for Business Server 2015 CU5 or later (2019 CU1+).
Hybrid deployment configured with Azure AD Connect (synchronized identities).
OAuth configuration between on-premises and Azure AD (using Configure-EnterpriseApplication.ps1 script).
The on-premises servers must have internet access to Azure AD endpoints.
Authentication Endpoints:
- Azure AD Authorize: https://login.microsoftonline.com/common/oauth2/authorize
- Azure AD Token: https://login.microsoftonline.com/common/oauth2/token
- Azure AD Keys: https://login.microsoftonline.com/common/discovery/keys
Token Lifetime: Default access token lifetime is 1 hour. Refresh tokens are valid for 90 days of inactivity, extendable with continuous usage.
Resource IDs:
Exchange on-premises: https://outlook.office365.com (same as Exchange Online; this is intentional for token exchange).
Skype for Business on-premises: https://webdir.online.lync.com/ (or similar).
Configuration Commands:
For Exchange: Run the Configure-EnterpriseApplication.ps1 script provided by Microsoft. This script registers the on-premises Exchange server as a service principal in Azure AD and creates the necessary OAuth configuration objects in Exchange.
For Skype for Business: Use the Set-CsOAuthConfiguration cmdlet and New-CsOAuthServer.
Verification Commands
Exchange: Get-AuthServer – lists auth servers (should include MicrosoftACS and AzureAD). Get-AuthConfig – shows current OAuth configuration. Get-OrganizationConfig | fl OAuth* – checks if OAuth is enabled.
Skype for Business: Get-CsOAuthConfiguration – shows OAuth settings. Get-CsOAuthServer – lists OAuth servers.
Client: In Outlook, hold Ctrl and right-click the Outlook icon in the notification area, select Connection Status. The Auth type column should display Bearer for modern auth connections.
Interaction with Related Technologies
Azure AD Conditional Access: HMA enables Conditional Access policies to apply to on-premises resources. For example, you can require MFA for all access to Exchange on-premises. The policy is evaluated during step 2 (token issuance). If the policy requires a compliant device, the token will only be issued if the device is compliant (e.g., Intune enrolled).
Legacy Authentication Blocking: Organizations can block legacy authentication at the Azure AD tenant level (e.g., via Conditional Access policy: block all clients not using modern auth). HMA ensures that on-premises clients can still connect because they use modern auth. Without HMA, blocking legacy auth would break on-premises client access.
Exchange Hybrid: HMA is a prerequisite for features like the new Exchange admin center (EAC) in hybrid, and for cross-premises mailbox access with modern auth.
Skype for Business Hybrid: HMA is required for Teams coexistence and migration. It allows clients to authenticate against both on-premises Skype and Teams using the same token.
Common Pitfalls and Troubleshooting
Certificate Issues: The OAuth configuration requires a certificate for token signing. If the certificate expires, authentication fails. Check the certificate in Get-AuthConfig and renew it using Set-AuthConfig -CertificateThumbprint <newthumb>.
Autodiscover Not Returning OAuthUrl: Ensure the on-premises Exchange server has the latest CU. Use Test-OAuthConnectivity to test the OAuth flow.
Token Validation Errors: Check that the on-premises server can reach Azure AD endpoints. Firewall rules must allow outbound HTTPS to login.microsoftonline.com and outlook.office365.com.
Skype for Business HMA: The Set-CsOAuthConfiguration must have ClientAuthorizationEnabled set to $true. Also, the internal and external web service URLs must be correctly configured.
Summary of Mechanism
HMA essentially extends the Azure AD trust to on-premises servers. The on-premises server acts as a resource server that trusts Azure AD tokens. The client obtains a token from Azure AD and presents it to the on-premises server, which validates it via Azure AD's token exchange (OBO). This allows the same token to be used for both on-premises and cloud resources, enabling unified authentication policies.
Verify Prerequisites
Before enabling HMA, ensure all prerequisites are met. For Exchange, the server must be running at least Exchange 2013 CU19, Exchange 2016 CU3, or Exchange 2019 CU1. For Skype for Business, version 2015 CU5 or 2019 CU1 is required. Azure AD Connect must be configured to synchronize identities. The hybrid deployment must be established (e.g., using the Hybrid Configuration Wizard). Additionally, the on-premises servers must have outbound internet connectivity to Azure AD endpoints (`login.microsoftonline.com`, `outlook.office365.com`). Verify that the on-premises Exchange server's Autodiscover service is accessible and returns the correct URLs. Use `Get-AuthServer` to check if any auth servers already exist. If `MicrosoftACS` is present, it may need to be removed or updated.
Configure OAuth in Azure AD
This step registers the on-premises Exchange or Skype for Business server as a service principal in Azure AD. For Exchange, download and run the `Configure-EnterpriseApplication.ps1` script from Microsoft (available in the Exchange installation directory or via Microsoft download). The script creates an application in Azure AD with the identifier URI `https://outlook.office365.com` for Exchange, or `https://webdir.online.lync.com/` for Skype for Business. It also creates a service principal and grants necessary permissions (e.g., `user_impersonation`). The script outputs a configuration XML that must be imported on the on-premises server. For Skype for Business, use the `Set-CsOAuthConfiguration` cmdlet to enable OAuth and specify the Azure AD tenant ID.
Import OAuth Configuration On-Premises
For Exchange, after running the script, you receive an XML file containing the OAuth configuration. On the Exchange server, run `Import-AuthConfig -FileName <path>.xml` to import the configuration. This creates or updates the auth server object in Exchange. Verify with `Get-AuthServer` – you should see a new server named `AzureAD` (or similar). For Skype for Business, no import is needed; the configuration is applied via `Set-CsOAuthConfiguration`. However, you may need to create an OAuth server object using `New-CsOAuthServer` if it does not exist. Ensure that the `Realm` parameter matches your Azure AD tenant ID.
Enable HMA for Virtual Directories
For Exchange, HMA must be enabled on the virtual directories that clients use. Run `Set-<VirtualDirectory> -OAuthAuthentication $true` for each relevant directory: `OWA`, `ECP`, `MAPI`, `ActiveSync`, `OutlookAnywhere`, `Autodiscover`, `PowerShell`, `WebServices`. For example: `Set-MapiVirtualDirectory -Identity 'Server\mapi (Default Web Site)' -OAuthAuthentication $true`. For Skype for Business, enable OAuth on the web services by running `Set-CsWebServiceConfiguration -OAuthAuthentication $true`. Also, ensure that the internal and external URLs for web services are correctly configured and resolvable.
Test and Verify HMA Functionality
After configuration, test HMA from a client perspective. On an Outlook client (2013 SP1 or later), hold Ctrl and right-click the Outlook icon, select Connection Status. The Auth type column should display `Bearer` for connections to on-premises mailboxes. Alternatively, use `Test-OAuthConnectivity` in Exchange Management Shell: `Test-OAuthConnectivity -Service EWS -TargetUri https://mail.contoso.com/ews/exchange.asmx -Mailbox user@contoso.com`. This cmdlet simulates the OAuth flow. For Skype for Business, use `Test-CsOAuthConfiguration` or `Get-CsClientAccessConfiguration` to verify. Also, test that MFA and Conditional Access policies apply correctly. For example, if a Conditional Access policy requires MFA, the user should be prompted for MFA when accessing on-premises resources.
Scenario 1: Large Enterprise with Exchange 2016 Hybrid
A multinational company with 50,000 mailboxes runs Exchange 2016 CU12 on-premises alongside Exchange Online. They have enabled HMA to enforce MFA for all mailbox access, including on-premises. The configuration was done using the Configure-EnterpriseApplication.ps1 script. The team faced an issue where Outlook clients intermittently failed to connect with 'Bearer' auth type. Investigation revealed that the Autodiscover response was not including the OAuthUrl element because the Exchange server's CU was outdated (CU10). After upgrading to CU12 and reapplying the OAuth configuration, the issue resolved. Performance considerations: HMA adds latency because the client must obtain a token from Azure AD before connecting. For users far from Azure AD datacenters, this can add 1-2 seconds to initial connection. Caching of tokens (1-hour lifetime) mitigates this for subsequent requests. The team also implemented Conditional Access policies to block legacy authentication, which reduced password spray attacks by 90%.
Scenario 2: Skype for Business to Teams Migration
A mid-size company with 10,000 users is migrating from Skype for Business Online to Teams. They have a hybrid deployment with Skype for Business Server 2019 on-premises. HMA is required for coexistence. The configuration involved running Set-CsOAuthConfiguration with the Azure AD tenant ID. A common misconfiguration: the ClientAuthorizationEnabled parameter was left at $false, causing clients to fail authentication. After setting it to $true and restarting the Skype for Business services, clients connected successfully. The team also had to ensure that the internal and external web service URLs were set to FQDNs that matched the certificate's subject alternative names (SANs). During the migration, they used HMA to allow users to sign in to both Skype for Business and Teams with the same credentials, and applied a Conditional Access policy to require MFA for both.
Scenario 3: Government Agency with High Security Requirements
A government agency with 5,000 mailboxes uses Exchange 2019 on-premises and Exchange Online in a hybrid configuration. They require strict access controls, including device compliance (Intune) and location-based policies. HMA enables these policies to apply to on-premises mailboxes. The challenge was that some users were still using Outlook 2013 (which supports modern auth but not all Conditional Access features). The agency had to upgrade to Outlook 2016 or later to support device compliance claims. They also discovered that HMA does not work with Exchange 2010; they had to upgrade all servers to 2013 CU19+ or 2016/2019. The agency uses Azure AD Application Proxy for remote access to OWA, which integrates with HMA. Misconfiguration: the OAuth certificate expired after two years, causing a service outage. They now monitor certificate expiration and use a script to renew it automatically.
What MS-102 Tests on Hybrid Modern Authentication
The MS-102 exam covers HMA under Objective 2.2 (Implement and manage authentication and access). Specifically, you need to know:
The prerequisites for HMA (Exchange/Skype versions, Azure AD Connect, hybrid deployment).
The configuration steps (running Configure-EnterpriseApplication.ps1, enabling OAuth on virtual directories).
How HMA enables modern auth for on-premises resources.
The relationship between HMA and Conditional Access / legacy authentication blocking.
Troubleshooting common issues (certificate expiry, token validation failures).
Common Wrong Answers and Why Candidates Choose Them
1. Wrong: HMA requires Azure AD P1 or P2. *Why chosen:* Candidates confuse HMA with features like Conditional Access that do require P1. Reality: HMA itself does not require an Azure AD premium license; it works with Azure AD Free. However, to use Conditional Access policies with HMA, you need Azure AD P1.
2. Wrong: HMA replaces the need for Azure AD Connect. *Why chosen:* Because HMA uses Azure AD tokens, some think synchronization is unnecessary. Reality: Azure AD Connect is a prerequisite; identities must be synchronized for Azure AD to issue tokens.
3. Wrong: HMA works with Exchange 2010. *Why chosen:* Because Exchange 2010 can be part of a hybrid deployment. Reality: HMA is only supported on Exchange 2013 CU19+, 2016 CU3+, 2019 CU1+. Exchange 2010 cannot use modern auth.
4. Wrong: After enabling HMA, the on-premises server validates the token directly. *Why chosen:* It seems logical that the server would validate the token itself. Reality: The on-premises server uses the On-Behalf-Of flow to have Azure AD validate the token.
Specific Numbers, Values, and Terms That Appear on the Exam
Exchange 2013 minimum CU: CU19
Exchange 2016 minimum CU: CU3
Exchange 2019 minimum CU: CU1
Skype for Business 2015 minimum CU: CU5
Skype for Business 2019 minimum CU: CU1
Token lifetime: 1 hour (access token)
The cmdlet to test OAuth connectivity: Test-OAuthConnectivity
The script to configure enterprise application: Configure-EnterpriseApplication.ps1
The parameter to enable OAuth on a virtual directory: -OAuthAuthentication $true
Edge Cases and Exceptions the Exam Loves to Test
HMA and Outlook 2013: Outlook 2013 supports modern auth but not all Conditional Access claims (e.g., device compliance). The exam may test that Outlook 2016 or later is recommended for full functionality.
HMA with ActiveSync: ActiveSync clients (iOS, Android) also benefit from HMA. The exam may ask which virtual directories need OAuth enabled (include ActiveSync).
HMA and Skype for Business: The Set-CsOAuthConfiguration cmdlet has a parameter ClientAuthorizationEnabled. If this is set to $false, HMA does not work.
Certificate renewal: If the OAuth certificate expires, authentication fails. The exam may ask how to renew it (use Set-AuthConfig -CertificateThumbprint <newthumb>).
How to Eliminate Wrong Answers Using the Underlying Mechanism
Understand that HMA is about token trust. If an answer suggests that the on-premises server does not need to communicate with Azure AD, it is wrong because token validation requires Azure AD. If an answer implies that HMA works without synchronization, it is wrong because Azure AD needs the user object. If an answer says HMA requires premium licenses, it is wrong because the base feature is free (though Conditional Access integration requires P1). By focusing on the mechanism (client gets token from Azure AD, server validates via Azure AD), you can eliminate answers that break this flow.
HMA enables modern authentication (OAuth 2.0) for on-premises Exchange and Skype for Business servers in hybrid deployments.
Prerequisites include Exchange 2013 CU19+, 2016 CU3+, or 2019 CU1+; Skype for Business 2015 CU5+ or 2019 CU1+; Azure AD Connect; and a hybrid deployment.
Configuration involves running Configure-EnterpriseApplication.ps1 for Exchange, or Set-CsOAuthConfiguration for Skype for Business, then enabling OAuth on virtual directories.
The on-premises server validates tokens via the OAuth 2.0 On-Behalf-Of flow, not directly.
HMA does not require Azure AD Premium licenses, but Conditional Access integration does.
Common issues include certificate expiry, outdated CUs, and missing OAuthUrl in Autodiscover.
Test HMA using Test-OAuthConnectivity (Exchange) or Test-CsOAuthConfiguration (Skype for Business).
HMA is required for features like the new Exchange admin center and Teams coexistence.
These come up on the exam all the time. Here's how to tell them apart.
Hybrid Modern Authentication (HMA)
Uses OAuth 2.0 tokens issued by Azure AD.
Supports MFA, Conditional Access, and device compliance.
Requires specific server versions (Exchange 2013 CU19+).
Token lifetime is 1 hour; refresh tokens extend sessions.
No password transmitted to on-premises server; token is bearer.
Legacy Authentication (Basic Auth/NTLM)
Uses username/password (Basic) or NTLM hash/Kerberos ticket.
Does not support MFA or Conditional Access natively.
Works with all Exchange versions (including 2010).
Session tied to password lifetime; no token refresh mechanism.
Password sent in cleartext (Basic) or hashed (NTLM); vulnerable to replay.
Mistake
Hybrid Modern Authentication requires Azure AD Premium P1 or P2 licenses.
Correct
HMA itself does not require any Azure AD premium license; it works with Azure AD Free. However, to enforce Conditional Access policies (e.g., MFA, device compliance) on the tokens issued via HMA, you need Azure AD P1. The exam may test that HMA is a configuration, not a licensed feature.
Mistake
After enabling HMA, the on-premises Exchange server validates the OAuth token directly using its own keys.
Correct
The on-premises server does not validate the token directly. Instead, it uses the OAuth 2.0 On-Behalf-Of flow to exchange the client's token for a token with the Exchange Online audience, which is then validated by Azure AD. The on-premises server trusts the exchanged token because it is issued by Azure AD.
Mistake
HMA is only for Exchange Online and does not apply to Skype for Business or Teams.
Correct
HMA is also supported for Skype for Business Server (2015 CU5+, 2019 CU1+) and is essential for hybrid deployments with Teams. It allows Skype for Business clients to authenticate using modern auth and enables coexistence with Teams.
Mistake
Enabling HMA automatically blocks legacy authentication on the on-premises servers.
Correct
HMA enables modern auth but does not block legacy auth. Clients can still connect using Basic Auth, NTLM, or Kerberos. To block legacy authentication, you must configure Conditional Access policies in Azure AD (e.g., block all clients not using modern auth). HMA ensures that modern auth clients can still connect when legacy auth is blocked.
Mistake
HMA works with Exchange 2010 as long as it is in a hybrid deployment.
Correct
Exchange 2010 does not support HMA. The minimum supported versions are Exchange 2013 CU19, Exchange 2016 CU3, and Exchange 2019 CU1. If you have Exchange 2010 servers, they must be upgraded or migrated to a supported version.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Exchange Server 2013 Cumulative Update 19 (CU19), Exchange 2016 CU3, or Exchange 2019 CU1 are the minimum versions. For Skype for Business, you need Skype for Business Server 2015 CU5 or 2019 CU1. The exam often tests these specific CU numbers, so memorize them. If a question mentions Exchange 2010 or an older CU, HMA is not supported.
No, HMA itself works with Azure AD Free. However, to leverage Conditional Access policies (e.g., requiring MFA or a compliant device) for on-premises resources, you need Azure AD Premium P1 or P2. The exam may ask: 'You want to enforce MFA for on-premises mailboxes. What do you need?' The answer: HMA plus Azure AD P1 for Conditional Access.
The Exchange server does not validate the token directly. Instead, it uses the OAuth 2.0 On-Behalf-Of (OBO) flow. The server presents the client's access token to Azure AD and requests a new token with the audience set to Exchange Online (`https://outlook.office365.com`). Azure AD validates the original token and issues a new token. The Exchange server then uses this new token to access resources. This mechanism ensures that the on-premises server trusts tokens issued by Azure AD.
Yes, but blocking legacy authentication is done via Conditional Access policies in Azure AD, not on the on-premises server. You can create a policy that blocks all clients not using modern auth (e.g., block Exchange ActiveSync clients using Basic Auth). HMA ensures that modern auth clients (Outlook, Outlook for iOS/Android) can still connect. Without HMA, blocking legacy auth would break on-premises client access. The exam may test this interplay.
The `Test-OAuthConnectivity` cmdlet in Exchange Management Shell. Example: `Test-OAuthConnectivity -Service EWS -TargetUri https://mail.contoso.com/ews/exchange.asmx -Mailbox user@contoso.com`. This tests the full OAuth flow. For Skype for Business, use `Test-CsOAuthConfiguration`. The exam may ask which tool to use for troubleshooting HMA.
If the certificate used for OAuth token signing expires, authentication will fail. Clients will receive errors and may fall back to legacy auth (if allowed). To renew, use `Set-AuthConfig -CertificateThumbprint <newthumb>` with a new certificate. You can also use the Exchange admin center to renew the certificate. The exam may test that certificate expiry is a common cause of HMA failure.
Outlook 2013 (with updates) does support modern auth, but it does not support all Conditional Access claims, such as device compliance. For full functionality, Microsoft recommends Outlook 2016 or later. The exam may test that Outlook 2013 can use HMA but may not enforce device-based policies.
You've just covered Hybrid Modern Authentication — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?