Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Take the survey
Reply
Nicowitch
‎11-20-2019 01:09 PM
Visitor 2
‎11-20-2019 01:09 PM

Microsoft Surface Hub and MFA (Security Defaults)

Hi 

 

Hope someone can help me on this topic. 

 

After we have enabled Security Defaults in Azure Active Directory, our Surface hub can't login to their accounts which basically makes our Hubs worhtless as they are used for Skype Meeting. 

 

Please don't tell me that the only solution is, that we have to buy Premium P2 subscribtions for all our user(+100) and setup conditional access to allow our three Hubs to avoid use MFA? 

 

Thanks. 

 

Best Regards

Nicolaj Nielsen

Labels:
0 Kudos
13 REPLIES 13
JanoschUlmer
Microsoft
‎08-10-2020 06:12 AM
Microsoft
‎08-10-2020 06:12 AM

"this issue" means that you are using AzureAD Security Defaults on the tenant that are using for CSP,  and you have set up the accounts using Powershell - https://docs.microsoft.com/en-us/surface-hub/create-a-device-account-using-office-365#create-device-acct-o365-complete-acct - and made sure nobody ever attempted to log on interactively with this account?

Did you open the support ticket as technical problem for Surface Hub support? Or did you request for a technical exception from Security requirements for this account: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa#request-for-technical-exception ?

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
DavidC616
‎08-10-2020 05:51 AM
Visitor 1
‎08-10-2020 05:51 AM

We recently ran into this issue and are still struggling to find a way around it.  I'm stunned that MS support has no idea about this.  We've had two support tickets open for a month now with no useful steps to resolution.  

0 Kudos
gturner
Level 1 Contributor
‎08-10-2020 06:52 AM
Level 1 Contributor
In response to DavidC616
‎08-10-2020 06:52 AM

If you are running into this issue with Surface Hub, then you can look at the Windows 10 Team 2020 Update which enables support for modern auth for cloud device accounts. I was able to remove basic auth from the Surface Hub device account once I installed the preview.

 

https://techcommunity.microsoft.com/t5/surface-it-pro-blog/new-surface-hub-os-update-released-for-public-preview/ba-p/1534823

0 Kudos
JanoschUlmer
Microsoft
‎11-22-2019 05:15 AM
Microsoft
‎11-22-2019 05:15 AM

There is no solution currently for any SfB Room devices or Teams Room devices - we need to wait for an update for Teams, which was targeted for end of this year, but there is no committed ETA.

 

So it is required to disable AAD security defaults and use conditional access - or enable MFA for each user account. Note this does not require AAD Premium Plan2, but Plan1.

 

Even when you use conditional access to exclude those account from MFA, note that the contractual requirements require Partner to have MFA enabled for all accounts - so you would not fulfill these requirements from a contract persepctive.

So it is still not allowed, however excluding this account from MFA does technically work for forseeable future - see here for info on how the enforcement is done and possible technical exceptions: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa

 

The only other solution to become fully compliant is to split of the production and the CSP tenant.

 

 

 

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
gturner
Level 1 Contributor
‎01-29-2020 09:36 AM
Level 1 Contributor
In response to JanoschUlmer
‎01-29-2020 09:36 AM

Any update on the solution for Teams to allow Surface Hub with MFA to work?

0 Kudos
JanoschUlmer
Microsoft
‎01-31-2020 09:04 AM
Microsoft
In response to gturner
‎01-31-2020 09:04 AM

Unfortunately not yet, I heard that an Update in the Teams Rooms client was now targeted for Q1, still no committed date.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
Reto
‎02-28-2020 01:54 AM
Visitor 1
In response to JanoschUlmer
‎02-28-2020 01:54 AM

Is there already a commitment date now? there's a new deadline tomorrow for partners and thus there should be a solution?

@JanoschUlmer wrote:

Unfortunately not yet, I heard that an Update in the Teams Rooms client was now targeted for Q1, still no committed date.

 

0 Kudos
JanoschUlmer
Microsoft
‎03-02-2020 01:23 AM
Microsoft
In response to Reto
‎03-02-2020 01:23 AM

@Reto : No, there is none yet unfortunately.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
rmavis
Level 3 Contributor
‎03-04-2020 06:12 AM
Level 3 Contributor
In response to JanoschUlmer
‎03-04-2020 06:12 AM

@JanoschUlmer 

Is there any update on this?  Or is there at least an ETA for a fix? All of our Conference rooms are down.  Disabling MFA on the room account did not resovle the issue.

0 Kudos
JanoschUlmer
Microsoft
‎03-04-2020 08:38 AM
Microsoft
In response to rmavis
‎03-04-2020 08:38 AM

When you have Security Defaults on, disabling MFA for a user will have no effect. You can only disable Security Defaults - and then enable MFA for all users, but not the specific account used by Surface Hub (See above comments on how this is not compliant, though no problems are expected from technical perspective and what licenses you would need).

 

No, there is no new ETA since Monday - since I'm not working in the Teams product team, it might also be a good idea to report this to support, they might be able to give an ETA. Also, all I know is a fix is planned for enabling modern authentication for Teams Rooms devices, I can not say for sure it will solve your specific problem. 

 

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
Lamby
Microsoft
‎04-22-2020 11:42 PM
Microsoft
In response to JanoschUlmer
‎04-22-2020 11:42 PM

We have the same issue here. Surface hub a redundant but very expensive whiteboard. This needs fixing fast...

0 Kudos
JanoschUlmer
Microsoft
‎04-23-2020 09:17 AM
Microsoft
In response to Lamby
‎04-23-2020 09:17 AM

I have heard, but could not verify, that when using AAD Security Defaults Surface Hub should not be impacted, given the service account created for the device was configured as documented (and account was not used for interactive login later).

Beneath this, report issues to Surface Hub support and potentially try to ask for a technical exception: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa#request-for-technical-exception

 

 

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
gturner
Level 1 Contributor
‎04-24-2020 07:41 AM
Level 1 Contributor
In response to JanoschUlmer
‎04-24-2020 07:41 AM

It boils down to Surface Hub not supporting modern auth. It uses basic auth so when you apply either the AAD Security Defaults or block legacy auth, then Surface Hub breaks. Hopefully this will be fixed soon because Surface Hub is a modern device that should be using modern auth.

0 Kudos
Follow Us
    Share