How to Remove Hybrid Modern Authentication Presence

Object

Teams users experiences intermittent Presence issues after we decommissioned the legacy Skype for Business infrastructure, everything is fine but the user presence.

Environment

  • All the external and internal DNS has already been updated to Office365 Teams Only,
  • CsHostingProvider has been removed on Skype for Server
  • SharedSIPAddressSpace has been disabled in CSTenantFederationConfiguration
  • Teams Upgrade policy are on “Teams Only” / “UpgradetoTeams” mode globally

Troubleshoot and solution

Looking around and suspecting there are still some leftover configurations, dug into the old Skype for Business document and discovered “Hybrid Modern Authentication” is enabled when we were migrating users into the Office365 cloud. Remove the configuration and the issue goes away.

  • Check current hybrid modern authentication configuration

PS C:\WINDOWS\system32> Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 | Select -ExpandProperty ServicePrincipalNames
https://lyncweb.ictfella.com/
https://lyncwebint.ictfella.com/
00000004-0000-0ff1-ce00-000000000000/.infra.lync.com 00000004-0000-0ff1-ce00-000000000000/.online.lync.com
00000004-0000-0ff1-ce00-000000000000
https://api.skypeforbusiness.com/

  • Remove the unused records in powershell

PS C:\WINDOWS\system32> $x= Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000
PS C:\WINDOWS\system32> $x

ExtensionData : System.Runtime.Serialization.ExtensionDataObject
AccountEnabled : True
Addresses : {Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri}
AppPrincipalId : 00000004-0000-0ff1-ce00-000000000000
DisplayName : Skype for Business Online
ObjectId : 597f4b0d-d310-4959-911b-62d3f583a5c6
ServicePrincipalNames : {https://lyncweb.ictfella.com/, https://lyncwebint.ictfella.com/, 00000004-0000-0ff1-ce00-000000000000/.infra.lync.com, 00000004-0000-0ff1-ce00-000000000000/.online.lync.com…}
TrustedForDelegation : True

PS C:\WINDOWS\system32> $x.ServicePrincipalnames.Remove(“https://lyncwebint.ictfella.com/”)
True
PS C:\WINDOWS\system32> $x

ExtensionData : System.Runtime.Serialization.ExtensionDataObject
AccountEnabled : True
Addresses : {Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri}
AppPrincipalId : 00000004-0000-0ff1-ce00-000000000000
DisplayName : Skype for Business Online
ObjectId : 597f4b0d-d310-4959-911b-62d3f583a5c6
ServicePrincipalNames : {00000004-0000-0ff1-ce00-000000000000/.infra.lync.com, 00000004-0000-0ff1-ce00-000000000000/.online.lync.com, 00000004-0000-0ff1-ce00-000000000000, https://api.skypeforbusiness.com/}
TrustedForDelegation : True

PS C:\WINDOWS\system32> $x.ServicePrincipalnames.Remove(“https://lyncweb.ictfella.com/”)
True
PS C:\WINDOWS\system32> $x

ExtensionData : System.Runtime.Serialization.ExtensionDataObject
AccountEnabled : True
Addresses : {Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri}
AppPrincipalId : 00000004-0000-0ff1-ce00-000000000000
DisplayName : Skype for Business Online
ObjectId : 597f4b0d-d310-4959-911b-62d3f583a5c6
ServicePrincipalNames : {https://lyncwebint.ictfella.com/, 00000004-0000-0ff1-ce00-000000000000/.infra.lync.com, 00000004-0000-0ff1-ce00-000000000000/.online.lync.com, 00000004-0000-0ff1-ce00-000000000000…}
TrustedForDelegation : True

  • Execute the change

PS C:\WINDOWS\system32> Set-MSOLServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $x.ServicePrincipalNames

  • View the current change after all

PS C:\WINDOWS\system32> Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000

ExtensionData : System.Runtime.Serialization.ExtensionDataObject
AccountEnabled : True
Addresses : {Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri, Microsoft.Online.Administration.RedirectUri}
AppPrincipalId : 00000004-0000-0ff1-ce00-000000000000
DisplayName : Skype for Business Online
ObjectId : 597f4b0d-d310-4959-911b-62d3f583a5c6
ServicePrincipalNames : {00000004-0000-0ff1-ce00-000000000000/.infra.lync.com, 00000004-0000-0ff1-ce00-000000000000/.online.lync.com, 00000004-0000-0ff1-ce00-000000000000, https://api.skypeforbusiness.com/}
TrustedForDelegation : True

Screenshot

remove-hybrid-modern-authentication
How to Remove Hybrid Modern Authentication when Decommissioning Skype for Business

Useful link

How to configure Skype for Business on-premises to use Hybrid Modern Authentication

https://docs.microsoft.com/en-us/microsoft-365/enterprise/configure-skype-for-business-for-hybrid-modern-authentication?view=o365-worldwide

4 thoughts on “How to Remove Hybrid Modern Authentication Presence”

  1. Hi to all, since I am truly keen of reading this webpage’s post to be updated daily.

    It consists of nice material.

  2. Hi there! Someone in my Facebook group shared this
    site with us so I came to take a look. I’m definitely enjoying the information. I’m bookmarking
    and will be tweeting this to my followers!
    Exceptional blog and superb design and style.

Leave a Reply to Louis Cancel Reply

Your email address will not be published. Required fields are marked *