Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 2 Contributor

The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

Those systems have saved creds tied to the account for signing into teams.

Would suspect that enforcing MFA globally as currently being suggested/required will be break that functionality.

We currently have conditional access restrictions on accounts such as that to only allow logon from our IP addresses to prevent external abuse of accounts.  Does location restriction meet your MFA requirements (something you know....something you own [creds/IP address respectively seem to in my eyes, but not sure what your rules are, and quite honestly, based on the call earlier today, doesn't sound like you're quite sure what the rules are going to be either).

 

Let me know how we should proceed.

 

Thanks.

 

62 REPLIES 62
Level 3 Contributor

Is there any update on this?  All of our Conference rooms are down.  Disabling MFA on the room account did not resovle the issue.

Level 1 Contributor

Hello,

Is there any update in this matter? We are still unable to use Teams Room. How is it possible that it takes so long for Microsoft to update the authentication to modern authentication? 

 

- App Passwords do not work

- Whitelisting IP / Bypassing MFA for teams/skype does not work.

- Splitting tenant is not an option for us

- Removing MFA from the accounts breaks the compliancy. 

 

Please provide us with an update Microsoft.

 

Microsoft

@TobiasO : Changing the authentication schema is a major project, of course this will take time and consierable development effort.

Whitelisting IP would work, but it is not compliant similar to excluding the account from MFA.

 

I still don't have knowledge of a specific ETA - and also be aware that I can not say for sure it will solve all the specific problems in each scenario. The upcoming fix will  enable Modern Authentication, which removes the problem that e.g. AzureAD Security Defaults are blocking basic authentication/legacy protocols - this is what I know currently.

For any issues you experience, you should open a support request wioth the respective product team

 

 

Kind regards,
Janosch
Level 1 Contributor

Here is what worked for us:

As CSP you can open a support ticket to ask for an exception. 

General > Accounts, Onboarding, Access > MFA - Request for exception

Partners can request for technical exception to suppress MFA verification if they are encountering issues with Microsoft Online Services and there are no feasible solution or workaround.

 

This should be a valid temporary solution for those who are in urgent need of their systems to work. Microsoft support has also confirmed that this will not void your compliancy.

 

 

Level 1 Contributor

Same issue here. My company just migrated one of our video rooms from a Cisco solution to a Lenovo ThinkSmart Hub 500.

 

The hub is able to receive direct calls and call others from the hub, but the room's calendar is not showing, and so we are missing the ability to join meetings directly on the hub's screen.

 

The calendar is working when we turned off the security defaults (temporary) for testing, but as other has pointed out, this is not a viable solution due to the partner requirements.

 

Also, see this post on the Lenovo forums that describe the same issue we're facing; https://forums.lenovo.com/t5/ThinkSmart/Thinksmart-Hub-500-Error-quot-signing-in-quot-at-the-top-of-the/td-p/4546770

 

The sign-ins log in Azure AD also show's that the meeting room user running on teams rooms in the hub is failing to authenticate:

  • Application: Office 365 Exchange Online
  • Status: Failure
  • Sign-in error code: 53003
  • Failure reason: Access has been blocked due to conditional access policies.

 

  • Authentication method: CloudOnlyPassword
  • Result detail: Access has been blocked due to conditional access policies.
  • Requirement: Primary Authentication

 

  • Policy Name: Security defaults
  • Grant Controls: block
  • Result: Failure
Level 2 Contributor

@nilsree

What did you do to turn the security defaults off for the account? I would like to try and replicate the issue again and then compare the logs. Thanks

Level 1 Contributor

@brynjonesmm

Afaik there is no way to turn off for a single account. I turned off security default for the tenant temporary.
Level 2 Contributor

@nilsree 

our enviroment doesnt even have the security defaults enabled as we manage it on a per user basis.  ive checked and there is no conditional access policies enabled either for the room account. and we are still getting the error. with the security defaults enabled you should make an exception to blocking legacy authentication for that account and see what happens.

Level 1 Contributor

@brynjonesmm

 

Do you have a guide on how to make exceptions to security defaults policy?

 

If I try to add a Conditional Access policy, I get the message: "Security defaults must be disabled to enable Conditional Access policy."

Level 2 Contributor
Level 1 Contributor

@brynjonesmm 

 

Your suggestion is the same as stated by @JanoschUlmer in this thread 08-05-2019:

So currently the only working solution is to exclude this account from MFA - which is, to be very clear on this, not in compliance with the contractual requirements. This will at least work until technical enforcement starts.


We need a solution compliant with the contractual requirements.

Microsoft


@nilsree wrote:

We need a solution compliant with the contractual requirements.


Then there is no wother solution then waiting for a fix that enables modern auth for Teams Rooms, this will take some weeks at least (still no comitted ETA)

Kind regards,
Janosch
Level 2 Contributor

@nilsree 

does disabling MFA show the calendar?

i tried enabling MFA and i couldnt even login to the teams room at all on the lenovo hub

Visitor 2

Hi @JanoschUlmer, happy new year. I wanted to echo the sentiment of other posters and ask whether there is any channel with which we could escalate requesting resolution of this issue.

 

Similar to the other poster, we have multiple Logitech Group systems sitting idle since last year. Please let us know if there are any updates.

Microsoft

Generally you can contact your account team and ask them for escalation (Partner Development Manager, Service Account Manager if you have an ASfP support contract). In parallel you can open a support ticket in Teams support - they can also give a more detailed response about an ETA for an update. Then you can push for feedback on a respective UserVoice feedback item

However, development has already started - I doubt the update will be delivered faster when escalating via the account teams. 

 

Also, something to clarify here since it wasn't discussed in this thread before and some more guidance was published since my earlier answers: Even though the agreements (MPA) do not allow for any excluded accounts, the technical enforcement - as far as it is planned and documented currently - will not impact this scenario. So technically you can exclude the Teams Room-Account from MFA currently without technical problems, and then switch to Modern Auth as soon as the update is ready. Again - technically possible even though not officially compliant (see also the list of potential technical exceptions here)

Kind regards,
Janosch
Level 2 Contributor

Any update on this. Our teams room device just sits saying Cannot Fetch Calendar.

 

Any help would be greatly appreciated. 2600$ of equipment just sitting!

Microsoft

I have not seen a ETA. So for now, you would need to exclude the account from MFA to make it work (So if you use AzureAD Security Defaults, you would need to switch the setup to custom Conditional Access policies)

Kind regards,
Janosch
Visitor 1

I can't believe that there is no real solution for this yet. Just last monday MS mailed us that Conditional Accesses has to be changed to security default. So no conditional policies are accepted anymore.

 

There is Meetingroom lisence, why cant we just disable mfa from those?

 

We do have multiple Teamsrooms devices and we cannot use them now.

ps. We are 10 minutes away from migrating teams rooms to another tenant just to make it work.

 

Microsoft

@viiksi: This is not true, you can also use Conditional Access to fulfill the security requirements. There was some notification that because baseline policies are being deprecated you should switch to Security defaults (if you use the baseline policies), but there is no requirement to enable security defaults if you use other methods. If you still have doubts, PM me with the message you received.

 

 

But it does not change the fact that MFA has to be enabled for every user account in the CSP tenant as per the MPA - so currently you can decide to

 - either not configure MFA for those accounts (and while this works technically you will not be in full compliance - and a when a fix is available you enable MFA then),

 - enable MFA and not use Teams Rooms (and wait until there is a fix),

 - or make a tenant split where you have seperated tenants for CSP and production use - this might also solve some of the other issues but is of course not a quick fix.

Kind regards,
Janosch
Level 2 Contributor

We use the meeting room license and its works great if you disable MFA in MFA portal. the only thing that we are having trouble with is the screen keeps saying "cannot fetch caledar" GRR.

 

microsoft is making teams into a mainstream platform, but they are not support the people using it everyday. you can never get ahold of anyone at MS and they tell you to go to your reseller. the resellers have no clue about it either. i guess you have to be a massive company like GM or Ford or whoever uses teams in the massive corp world then microsoft will do whatever they need.