Microsoft Surface Hub and MFA (Security Defaults)
Hope someone can help me on this topic.
After we have enabled Security Defaults in Azure Active Directory, our Surface hub can't login to their accounts which basically makes our Hubs worhtless as they are used for Skype Meeting.
Please don't tell me that the only solution is, that we have to buy Premium P2 subscribtions for all our user(+100) and setup conditional access to allow our three Hubs to avoid use MFA?
Windows & Devices
"this issue" means that you are using AzureAD Security Defaults on the tenant that are using for CSP, and you have set up the accounts using Powershell - https://docs.microsoft.com/en-us/surface-hub/create-a-device-account-using-office-365#create-device-acct-o365-complete-acct - and made sure nobody ever attempted to log on interactively with this account?
Did you open the support ticket as technical problem for Surface Hub support? Or did you request for a technical exception from Security requirements for this account: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa#request-for-technical-exception ?
We recently ran into this issue and are still struggling to find a way around it. I'm stunned that MS support has no idea about this. We've had two support tickets open for a month now with no useful steps to resolution.
If you are running into this issue with Surface Hub, then you can look at the Windows 10 Team 2020 Update which enables support for modern auth for cloud device accounts. I was able to remove basic auth from the Surface Hub device account once I installed the preview.
There is no solution currently for any SfB Room devices or Teams Room devices - we need to wait for an update for Teams, which was targeted for end of this year, but there is no committed ETA.
So it is required to disable AAD security defaults and use conditional access - or enable MFA for each user account. Note this does not require AAD Premium Plan2, but Plan1.
Even when you use conditional access to exclude those account from MFA, note that the contractual requirements require Partner to have MFA enabled for all accounts - so you would not fulfill these requirements from a contract persepctive.
So it is still not allowed, however excluding this account from MFA does technically work for forseeable future - see here for info on how the enforcement is done and possible technical exceptions: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa
The only other solution to become fully compliant is to split of the production and the CSP tenant.
Is there already a commitment date now? there's a new deadline tomorrow for partners and thus there should be a solution?
Unfortunately not yet, I heard that an Update in the Teams Rooms client was now targeted for Q1, still no committed date.
Is there any update on this? Or is there at least an ETA for a fix? All of our Conference rooms are down. Disabling MFA on the room account did not resovle the issue.
When you have Security Defaults on, disabling MFA for a user will have no effect. You can only disable Security Defaults - and then enable MFA for all users, but not the specific account used by Surface Hub (See above comments on how this is not compliant, though no problems are expected from technical perspective and what licenses you would need).
No, there is no new ETA since Monday - since I'm not working in the Teams product team, it might also be a good idea to report this to support, they might be able to give an ETA. Also, all I know is a fix is planned for enabling modern authentication for Teams Rooms devices, I can not say for sure it will solve your specific problem.
I have heard, but could not verify, that when using AAD Security Defaults Surface Hub should not be impacted, given the service account created for the device was configured as documented (and account was not used for interactive login later).
Beneath this, report issues to Surface Hub support and potentially try to ask for a technical exception: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa#request-for-technical-exception
It boils down to Surface Hub not supporting modern auth. It uses basic auth so when you apply either the AAD Security Defaults or block legacy auth, then Surface Hub breaks. Hopefully this will be fixed soon because Surface Hub is a modern device that should be using modern auth.