Move users in Skype for Business Control Panel with MFA
Scenario:
- Skype for Business Server 2015 (CU6)
- Skype for Business Online, Windows PowerShell Module (Build: 6.0.9276.0)
- Skype for Business Pool configured in Hybrid Mode
- Skype for Business On-Premises administrator account has Multi-Factor Authentication(MFA) in Office 365
Problem:
- When you have this setup, in Skype for Business Server 2015 Control Panel, you try to move users from On-Premises to Online or vice-versa, but you cannot authenticate with your administrative account in Office 365 services.
Error: "Get-CsWebTicket : Failed to logon with given credentials. Make sure correct user name and password provided. "
Currently the Skype for Business Control Panel do not support multi-factor authentication.
Solution:
- Option 1:
- Since Skype for Business Control Panel don't support two-step verification we will need to to set up an "app password" for our Office 365 admin account that has MFA enabled.
- Option 2:
- Remove the MFA from the administrative account.
- Option 3:
- If you enforce Multi-Factor Authentication through Conditional Access policies and not through per-user MFA, you cannot create app passwords. In this case you can create an account in the domain "XXX.onmicrosoft.com" to connect to Office 365.
EXTRA:
- You might face the same problem when trying to move users, using the Skype for Business Powershell, and fails as well because of the MFA, when connecting to Office 365:
- Error: "Move-CsUser : Failed to logon with given credentials. Make sure correct user name and password provided. "
- Error: "Move-CsUser : Failed to logon with given credentials. Make sure correct user name and password provided. "
- Solution: The same as explained in the scenario above.
More Resources:
Move users from Skype for Business Online to on premises
Solution:
- **Option 1:** - Since Skype for Business Control Panel don't support two-step verification we will need to to set up an "app password" for our Office 365 admin account that has MFA enabled. - [What are App Passwords in Azure Multi-Factor Authentication?](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/multi-factor-authentication-end-user-app-passwords) - [Create an app password for Office 365](https://support.office.com/en-us/article/create-an-app-password-for-office-365-3e7c860f-bda4-4441-a618-b53953ee1183) - **Option 2:** - Remove the MFA from the administrative account. - [Set up multi-factor authentication for Office 365 users](https://support.office.com/en-us/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6) - **Option 3:** - If you enforce Multi-Factor Authentication through Conditional Access policies and not through per-user MFA, you cannot create app passwords. In this case you can create an account in the domain "XXX.onmicrosoft.com" to connect to Office 365. ## **EXTRA:** - You might face the same problem when trying to move users, using the Skype for Business Powershell, and fails as well because of the MFA, when connecting to Office 365: - Error: "*Move-CsUser : Failed to logon with given credentials. Make sure correct user name and password provided.* " - **Solution:** The same as explained in the scenario above. ### More Resources: - [Step-By-Step: Skype for Business 2015 Hybrid Configuration](https://blogs.technet.microsoft.com/canitpro/2015/12/23/step-by-step-skype-for-business-2015-hybrid-configuration/) - [Move users to Skype for Business Online](https://technet.microsoft.com/en-us/library/jj204969.aspx) - [Move users from Skype for Business Online to on premises](https://technet.microsoft.com/en-us/library/dn689117.aspx)