Blog Post

Microsoft Teams Blog
2 MIN READ

TLS certificate changes to Microsoft 365 services including Microsoft Teams

Parker_Shelton's avatar
Parker_Shelton
Icon for Microsoft rankMicrosoft
Mar 09, 2022

Microsoft 365 is updating services powering messaging, meetings, telephony, voice, and video to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current Root CA will expire in May 2025.


Affected products include:

  • Microsoft Teams
  • Skype
  • Skype for Business Online
  • Microsoft Dynamics 365
  • GroupMe
  • Kaizala
  • Azure Communication Services

Affected endpoints include (but are not limited to):

  • *.teams.microsoft.com
  • *.skype.com
  • *.skypeforbusiness.com
  • *.groupme.com
  • *.communication.azure.com
  • *.operatorconnect.microsoft.com

Additionally, Teams and Skype for Business Online endpoints in US Government national cloud instances of Microsoft 365 will make the same change, affecting endpoints such as:

  • *.gcc.teams.microsoft.com
  • *.dod.teams.microsoft.us
  • *.gov.teams.microsoft.us
  • *.online.dod.skypeforbusiness.us
  • *.online.gov.skypeforbusiness.us
  • *.um-dod.office365.us
  • *.um.office365.us

Services began transitioning to the new Root CAs beginning in January 2022 and will continue through October 2022.


The new Root CA "DigiCert Global Root G2" is widely trusted by operating systems including Windows, macOS, Android, and iOS and by browsers such as Microsoft Edge, Chrome, Safari, and Firefox. We expect that most Microsoft 365 customers will not be impacted.


However, your application may be impacted if it explicitly specifies a list of acceptable CAs. This practice is known as "certificate pinning". Customers who do not have the new Root CAs in their list of acceptable CAs will receive certificate validation errors, which may impact the availability or function of your application.


For more details on how to determine if you are affected by this change as well as the details of the new Root CAs, please refer to the technical guidance at Office TLS Certificate Changes.

 

Update Sept 1, 2022:

Microsoft has prepared a testing endpoint that can be used to verify that SBC appliances trust certificates issued from the new root CA (DigiCert Global Root G2). This endpoint should be used only for SIP OPTIONS ping messages and not for voice traffic.

 

Global FQDN: sip.mspki.pstnhub.microsoft.com 

Port: 5061

Updated Sep 01, 2022
Version 2.0
microsoft teams

34 Comments

Show More
  • Bala159545's avatar
    Bala159545
    Copper Contributor
    Apr 08, 2022

    With ref. to the above article, we understand that the impact is only if we you use an application that integrates with Microsoft Teams, Skype, Skype for Business Online, or Microsoft Dynamics APIs and also if it explicitly specifies a list of acceptable CAs.

    It will not affect the normal Microsoft Teams application.

    Please let us know if our understanding is correct.

  • RichHall's avatar
    RichHall
    Copper Contributor
    Mar 14, 2022

    Hi Parker_Shelton  - that's great, thanks for the extra info.

     

    I think I'll play it safe and start adding all three certificates into the trusted store of the various SBCs I deploy/maintain next time I log on to each one,  to make sure I don't get caught out later on if I don't get a window to update to the latest firmware! (TBH, I don't think Ribbon have historically included any certs in their firmware, so it may end up being manual anyway).

     

     

  • Parker_Shelton's avatar
    Parker_Shelton
    Icon for Microsoft rankMicrosoft
    Mar 10, 2022

    Hi, RichHall. Our team is working to reach out to all SBC vendors to communicate the upcoming changes and help them provide firmware updates, testing tools, and documentation changes for their customers. Microsoft is working to provide a dedicated SIP/TLS endpoint that will serve a certificate signed by the new CA that can be used to verify connectivity from SBCs using SIP OPTIONS pinging. Given the complexity of this piece of the migration, we don't expect SBCs to need to trust the new Root CAs until Sept or Oct 2022. 

     

    The new Intermediate CAs are "cross-signed" and should be considered valid if any of the three Root CA certificates are trusted. We would recommend installing all three but expect the "DigiCert Global Root G2" Root CA to be pre-installed in a number of OSes and devices and to be the simplest and most popular Root CA. 

  • RichHall's avatar
    RichHall
    Copper Contributor
    Mar 10, 2022

    Hi Parker_Shelton  - thanks for this.

     

    The page linked says that certificates that chain to the Baltimore certificate will be replaced to certificates that chain to one of three possible options, but you've only mentioned one on your blog post - is that confirmation that all of the Teams-related things will be using certificates that chain back to the "DigiCert Global Root G2" cert?

     

    More specifically - I maintain a lot of SBCs that connect to Teams for direct routing that currently have the Baltimore cert manually imported so they trust all the sip*.pstnhub.microsoft.com endpoints; do you know which certificate I will need to import in addition, and when by?

     

    Thanks,

    Rich