Removing or disabling Hybrid Modern Authentication from Skype for Business and Exchange

This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

If you've enabled Hybrid Modern Authentication (HMA) only to find it's unsuitable for your current environment, you can disable HMA. This article explains how.

Who is this article for?

If you've enabled Modern Authentication in Skype for Business Online or On-premises, and/or Exchange Online or On-premises and found you need to disable HMA, these steps are for you.

Important

See the 'Skype for Business topologies supported with Modern Authentication' article if you're in Skype for Business Online or On-premises, have a mixed-topology HMA, and need to look at supported topologies before you begin.

How to disable Hybrid Modern Authentication (Exchange)

  1. Exchange On-premises: Open the Exchange Management Shell and run the following commands:

    Set-OrganizationConfig -OAuth2ClientProfileEnabled $false
    Set-AuthServer -Identity evoSTS -IsDefaultAuthorizationEndpoint $false
    
  2. Exchange Online: Connect to Exchange Online PowerShell. Run the following command to disable Modern Authentication:

    Set-OrganizationConfig -OAuth2ClientProfileEnabled:$false
    

How to disable Hybrid Modern Authentication (Skype for Business)

  1. Skype for Business On-premises: Run the following commands in Skype for Business Management Shell:

    Set-CsOAuthConfiguration -ClientAuthorizationOAuthServerIdentity ""
    
  2. Skype for Business Online: Connect to Skype for Business Online PowerShell. Run the following command to disable Modern Authentication:

    Set-CsOAuthConfiguration -ClientAdalAuthOverride Disallowed
    

Link back to the Modern Authentication overview.