Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 2 Contributor

The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

Those systems have saved creds tied to the account for signing into teams.

Would suspect that enforcing MFA globally as currently being suggested/required will be break that functionality.

We currently have conditional access restrictions on accounts such as that to only allow logon from our IP addresses to prevent external abuse of accounts.  Does location restriction meet your MFA requirements (something you know....something you own [creds/IP address respectively seem to in my eyes, but not sure what your rules are, and quite honestly, based on the call earlier today, doesn't sound like you're quite sure what the rules are going to be either).

 

Let me know how we should proceed.

 

Thanks.

 

36 REPLIES 36
Level 2 Contributor

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

I'm in the same boat, we have some old phsyical Skype/Teams phones that utilize legacy auth. I've already disabled ALL Legacy Auth for everyone externally using custom CA rules, with some exclusions for JUST internal legacy auth for these phone connections to keep these aging phones around until we can replace them.

 

If this change is going to force us to buy new phones for everyone, I think we're all going to have a bad time.

Level 1 Contributor

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

We also have Skype Room systems that rely on MFA IP whitelist. I cannot see how they can connect when baseline policies are applied.

Level 1 Contributor

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

when reading the following im not sure such accounts will be affected.

 

//

By August 1, 2019 these partners are required to take following actions:

  • Enable multi-factor authentication for all users in partner tenants
    All users in partner tenants must use multi-factor authentication (MFA) when signing into Microsoft commercial cloud services or transacting in CSP through Partner Center or via APIs. Baseline protection policies that include multi-factor authentication are available at no cost for all users of partner tenants.

\\

https://www.microsoftpartnercommunity.com/t5/Announcements/Important-Announcement-Implement-security-requirements/td-p/10991

 

What is your opinion on this ?

 

 

Microsoft

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

The requirement affects all user accounts, also room devices use some form of authentication and would be affected by the baseline policy. So from a contractual view, there is no exception (See CSP program guide for details).

 

However, we are currently evaluating if using AAD Premium Plan 1 and app passwords (for enabling legacy protocols to work) might be possible, we will update you as soon as we are able to confirm this. If this would work depends on how the enforcement will be checked later.

Level 4 Contributor

Surface Hub, Meeting Rooms, and Lobby phones

What are the suggestions for dealing wth Surface Hub devices, conference room equipment, and Lobby phones?  The Surface hub deployment plan basically says to setup a service account for the hub (https://docs.microsoft.com/en-us/surface-hub/surface-hub-2s-account) this way you can invite the Hub to a meeting and easily join when the time comes.  Other conference rooms (other meeting room equipment or even just conference room phones), and Lobby phones also require similar service accounts.  How are people going to deal with these accounts once MFA is required?

Level 3 Contributor

Re: Surface Hub, Meeting Rooms, and Lobby phones

I had this same question due to an HP slice using the newest SRS. It has to authenticate and has a meeting room license to get the services it needs. I didnt see a way around this either. We also have email relays and service accounts for services like Clique that access CRM.

Level 4 Contributor

Re: Surface Hub, Meeting Rooms, and Lobby phones

I just found another post about this same topic (sorry for the duplication): https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/The-new-MFA-for-Partners-requirements-what-will-that-do-to-our/m-p/11161#M100.  It seems like MSFT doesn't have a good answer yet.  The last reply there, was that we may need to purchase Azure AD Premium and use that to create app Passwords for these systems.  That doesn't look like it'll work because I can't use an app password to log into Teams.

Level 3 Contributor

Re: Surface Hub, Meeting Rooms, and Lobby phones

Yes it seems confusing, i have a user based MFA deployment that does allow for app passwords now. It seems like the baseline policy wont allow app passwords or is unknown from what ive read and heard. Either way it seems like those accounts will break.

Level 4 Contributor

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

I just tried logging into Teams using an app password and it doesn't work.  Seems like we'll need another solution from Microsoft.

Microsoft

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

Hi @Jinseng,

 

App passwords to have some limitations. You can learn more about them here. To help use provide the appropriate guidance for your scenario, can you provide details on why you cannot use an account that has MFA enforced? 


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Highlighted
Level 3 Contributor

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

Just maybe such app does not support modern auth at all. We have a tablet with meeting room system attached and it need to access with password to EWS. We try to enable baseline policies and this immediately stops working. With the AAD Premium and custom CA policies, we can easily allow this to work, but it seems that it broke the requirements to CAP be working.

Level 2 Contributor

Re: Surface Hub, Meeting Rooms, and Lobby phones

@JanoschUlmer Any update on this one? Seems like confrence phones is a pretty big issue for everyone, and I havent heard anything from Microsoft on how these new policies are going to work for any of these room systems. We have new Yealink Teams phones that support modern auth / MFA, but I can't imaging how that would work in a shared confrence phone scenario.

 

We also have some older phones assigned to users on users' desks that don't support modern authentication that we've created some CA exclusions for to allow legacy auth to work before we can replace them. If the intent is we have to buy new phones for everyone we'd like to know sooner then later.

Visitor 1

MFA Requirements - Skype Rooms

Hi

 

We have a lot of Skype rooms that use a user account with an E5 licenses. These accounts are used to log into our Polycoms.

 

The requirements state that all users should have MFA enforced and that no IP/Location exclusions can be used.

How can be adopt this requirement with our rooms?

 

Is it enough if we create a Conditional Access Policy that only allows sign-ins from our Offices?

 

Kind regards

Level 4 Contributor

Re: Surface Hub, Meeting Rooms, and Lobby phones

@JanoschUlmer  I want to bump this question before tomorrow's office hours.  App Password don't seem to work for logging into the Teams desktop app, so I'm not sure what we'll do about our Surface Hub and the additional surface hubs we plan on purchasing.  August 1 is getting closer and we need solid answers for how to keep using these devices as resources that can be invited to meetings.  Thank you.

Microsoft

Re: Surface Hub, Meeting Rooms, and Lobby phones

Sorry, I have no update on this one. All I can currently say is that engineering for Teams is working on Modern Auth support for Teams Room, hopefully we get some updates in the coming months (not before August 1st unfortunately). 

 

If the baseline policies are used, those devices will fail to authenticate if they are using legacy auth, or ask for 2nd factor if using modern auth (which is obviously a problem for a shared meeting room).

So for those devices which are using legacy auth, you can not enable the baseline policy. You need to create your own conditional access policies for the majority of user accounts to enforce MFA, then make an exception in the CA policy for the accounts used by those devices  - and enable MFA directly for the (device) user account to allow to configure app passwords. This is currently the only known workaround to me.

 

As a last resort the only alternative would be to split the tenants - e.g move internal production to another tenant and keep the current tenant just for CSP business. I know, this would not be an easy process for most.

Level 4 Contributor

Re: Surface Hub, Meeting Rooms, and Lobby phones

Thank you for the update.  We'll go the route of creating custom CA policy and excluding the Surface Hub.  We'll try using an App Password again, but last time I checked, an App Password did not work wile logging into MS Teams.  I don't know what else we can do until the MS Teams department fixes this.

Visitor 1

Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

I need to implement the Baseline polices as we are a CSP.
Admin policy is enabeld, no problem.

Does anybody knows what the impact is when enabeling Enduser protection policy recarding Surfacehub and room system accounts (SRS/MTR)? These accounts must be enabeld a an user, but they cannot use MFA. not even a application password works.
I don't have a test tenant availible where i can test these policies without interupting normal business.

Microsoft

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

@hwaarsing : Those room devices will not work in the future with this baseline policy. Right now the end user protection baseline policy will not enforce MFA for every access - so it will not break something right now -  but this will change as baseline policies will envolve (specifically for enforcing MFA for CSP users). It will take also few months until things change in Teams Rooms that might resolve some problem (Support for modern auth. - but no promises).

Level 2 Contributor

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

Your comment "Right now the end user protection baseline policy will not enforce MFA for every access - so it will not break something right now" doesn't make sense.

It will not enforce it for every access...but it will be enforced for setup and periodically afterwards, so...sure seems like it'll break something right now.  Can you explain a bit more clearly as to how this won't break it?

 

Thanks.

Microsoft

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

@JohnF : The end user protection baseline policy does currently only trigger MFA when a sign-in risk is detected, so it might be that no MFA will be triggered at all after this policy has been enabled (unless the user would for example change networks often and thereby the sign-in would be considered risky).

 

I mentioned this just to make clear that if you right now enable the policy and you see nothing break and no MFA, this might change and you should not assume that it will stay this way. 

Level 3 Contributor

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

Yes, currently does it not broke it. But someone must sign-in in browser and go within the MFA registration for these service accounts. As we test, the web sign-in is blocked to time when MFA registration is complete after registration expires.

Level 2 Contributor

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

@JanoschUlmer 

We have implemented the new MFA requirements using our own Conditional Access policies so that we can have a few exceptions for Legacy Auth requirements using App Passwords as you have advised this is allowed currently.

Since we are not using the Baseline policies we are now forcing MFA on all users no matter of what Risk Category. This is now causing issues with our Surface Hub 2S and performing Demonstrations for our customers to help sell these products. Teams on the Surface hub does not give you the ability to enter the App Password at all. What options do we have to get the Surface Hubs working with the new Security Requirements. So that we can Demo and Sell these devices.

Microsoft

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

@MVolker : For Teams Rooms and Teams on Surface Hub there is currently no solution.

To my knowledge Teams engineering is working on the authentication issues and should have a solution available in the coming months, I can not share a more concrete ETA as of now.

Level 2 Contributor

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

@JanoschUlmer
While the Teams engineering team are working on the authentication issues are we able to create a custom conditional access policy for the Surface Hub user accounts that enforces MFA on Risky logins similar to the baseline users policy? And create very complex passwords for these user accounts, so that my staff are able to continue performing customer demonstrations?
Thanks
Micheal