Skype for Business security

I start of my first blogpost with a PowerShell script.

My experience is that most Active Directory admins disable a user in AD and move them to an OU called “Disabled Users” and underlying OU named by the month they are disabled. Then they delete disabled users every 3 month or so. Most AD admins don’t know that they also need to disable the Skype for Business user on the front end server.
Skype for Business clients authenticate against the front end by a certificate that’s created the first time they log on from the computer in use. This certificate is valid for up to 6 months.

Example Scenario:

John Doe is fired from Contoso. He had Skype for Business on a non-company laptop that he used at home. His AD account is disabled. John is still able to log on to Skype for Business on his personal laptop. Therefore he can make phone calls and see previous colleague’s presence information. This is not good at all. Especially if he start working for a competitor.

Not sure why it is like this also in Skype for Business, but I see it as a huge security risk. 
Remember to disable account in AD and Skype for Business!

I have therefore created a small script that takes care of this. The script can be downloaded from TechNet:

I will continue to develop this script to add features.

disable users script

One thought on “Skype for Business security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s