Multi-Factor Authentication (MFA)

@TobiasO : Changing the authentication schema is a major project, of course this will take time and consierable development effort.

Whitelisting IP would work, but it is not compliant similar to excluding the account from MFA.

 

I still don't have knowledge of a specific ETA - and also be aware that I can not say for sure it will solve all the specific problems in each scenario. The upcoming fix will  enable Modern Authentication, which removes the problem that e.g. AzureAD Security Defaults are blocking basic authentication/legacy protocols - this is what I know currently.

For any issues you experience, you should open a support request wioth the respective product team

 

 

Here is what worked for us:

As CSP you can open a support ticket to ask for an exception. 

Partners can request for technical exception to suppress MFA verification if they are encountering issues with Microsoft Online Services and there are no feasible solution or workaround.

 

This should be a valid temporary solution for those who are in urgent need of their systems to work. Microsoft support has also confirmed that this will not void your compliancy.

 

 

@nilsree

What did you do to turn the security defaults off for the account? I would like to try and replicate the issue again and then compare the logs. Thanks

@brynjonesmm

Afaik there is no way to turn off for a single account. I turned off security default for the tenant temporary.

@nilsree 

our enviroment doesnt even have the security defaults enabled as we manage it on a per user basis.  ive checked and there is no conditional access policies enabled either for the room account. and we are still getting the error. with the security defaults enabled you should make an exception to blocking legacy authentication for that account and see what happens.

@brynjonesmm

 

Do you have a guide on how to make exceptions to security defaults policy?

 

If I try to add a Conditional Access policy, I get the message: "Security defaults must be disabled to enable Conditional Access policy."

@nilsree 

 

doing some reading this morninf found this:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

then https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common. note the * "* These four policies when configured together, would mimic functionality enabled by security defaults."

 

then apply to certain users

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions

 

 

 

@brynjonesmm 

 

Your suggestion is the same as stated by @JanoschUlmer in this thread 08-05-2019:

So currently the only working solution is to exclude this account from MFA - which is, to be very clear on this, not in compliance with the contractual requirements. This will at least work until technical enforcement starts.

---

We need a solution compliant with the contractual requirements.

---

@nilsree wrote:

We need a solution compliant with the contractual requirements.

---

Then there is no wother solution then waiting for a fix that enables modern auth for Teams Rooms, this will take some weeks at least (still no comitted ETA)

@nilsree 

does disabling MFA show the calendar?

i tried enabling MFA and i couldnt even login to the teams room at all on the lenovo hub

Generally you can contact your account team and ask them for escalation (Partner Development Manager, Service Account Manager if you have an ASfP support contract). In parallel you can open a support ticket in Teams support - they can also give a more detailed response about an ETA for an update. Then you can push for feedback on a respective UserVoice feedback item

However, development has already started - I doubt the update will be delivered faster when escalating via the account teams. 

 

Also, something to clarify here since it wasn't discussed in this thread before and some more guidance was published since my earlier answers: Even though the agreements (MPA) do not allow for any excluded accounts, the technical enforcement - as far as it is planned and documented currently - will not impact this scenario. So technically you can exclude the Teams Room-Account from MFA currently without technical problems, and then switch to Modern Auth as soon as the update is ready. Again - technically possible even though not officially compliant (see also the list of potential technical exceptions here)

Any update on this. Our teams room device just sits saying Cannot Fetch Calendar.

 

Any help would be greatly appreciated. 2600$ of equipment just sitting!

I have not seen a ETA. So for now, you would need to exclude the account from MFA to make it work (So if you use AzureAD Security Defaults, you would need to switch the setup to custom Conditional Access policies)

I can't believe that there is no real solution for this yet. Just last monday MS mailed us that Conditional Accesses has to be changed to security default. So no conditional policies are accepted anymore.

 

There is Meetingroom lisence, why cant we just disable mfa from those?

 

We do have multiple Teamsrooms devices and we cannot use them now.

ps. We are 10 minutes away from migrating teams rooms to another tenant just to make it work.

 

@viiksi: This is not true, you can also use Conditional Access to fulfill the security requirements. There was some notification that because baseline policies are being deprecated you should switch to Security defaults (if you use the baseline policies), but there is no requirement to enable security defaults if you use other methods. If you still have doubts, PM me with the message you received.

 

 

But it does not change the fact that MFA has to be enabled for every user account in the CSP tenant as per the MPA - so currently you can decide to

 - either not configure MFA for those accounts (and while this works technically you will not be in full compliance - and a when a fix is available you enable MFA then),

 - enable MFA and not use Teams Rooms (and wait until there is a fix),

 - or make a tenant split where you have seperated tenants for CSP and production use - this might also solve some of the other issues but is of course not a quick fix.

We use the meeting room license and its works great if you disable MFA in MFA portal. the only thing that we are having trouble with is the screen keeps saying "cannot fetch caledar" GRR.

 

microsoft is making teams into a mainstream platform, but they are not support the people using it everyday. you can never get ahold of anyone at MS and they tell you to go to your reseller. the resellers have no clue about it either. i guess you have to be a massive company like GM or Ford or whoever uses teams in the massive corp world then microsoft will do whatever they need.