Surface Hub 2 - Problem with Microsoft Teams

Hello Guzm0Apex,

This isn't an issue with the app itself but a sign-in issue which could be caused by different reasons. Make sure the device is fully updated and if you still have this issue, check the sign-in logs in Azure AD for any Conditional Access policies blocking the sign-in. 

If you still have issues, please open a support case

Thank you,

Cezar

Hey Cezar

I’m just checking in its been over a year since I see people have started to have this issue were teams don’t load.

any updates or fixes I haven’t found any myself we are still able to use teams on the web but once we start teams from the app it says “something went wrong” and closes and try’s to re-open  but fails every time after that ive even factory reset it and still comes up with the same issue.

It has all the windows updates .

thank you .

cezarcretu 

Hi cezarcretu ,

I have a related but different issue.

I am trialling a new Hub 2S. I have created a resource account. It works, but I am prompted for MFA for the resource account for every login. This is despite the policy excluding the IP address and the account itself.

Any ideas?

Tim.

alankinane485 , I think it's also fixed in the latest big update of Windows 10 Team Edition (the native version running on Hubs) that was scheduled to be released in October but not 100% sure it's rolled out everywhere yet.

With us being back in lockdown I have not been in the office for over a month 🙂

NaraeB As far as I know the issue is still there.  However, you can now install Windows 10 Enterprise on the Surface 2s which is what I have done and this OS has no issue.

https://docs.microsoft.com/en-us/surface-hub/surface-hub-2s-migrate-os

cezarcretu are there any updates on this topic?

We setup a CA policy last year to block basic auth for EXO/SPO for the 'Other clients' category (so older Office clients, POP, SMTP, IMAP,etc..) and even though the Surface Hub device accounts are subject to this CA, they are all still working.

On the other hand, when I look in the sign-in logs I see lots of failures from those accounts to Office 365 Exchange Online using 'other clients' but also a lot of successful logins using Exchange ActiveSync (user agent BAV2ROPC).

What is the current Microsoft recommendation for Surface Hub and MTR devices? Exclude them from all CA policies which block anything that does basic auth?

Tristan Griffiths , you are absolutely right and we are aware of the pain this causes. Currently the Surface Hub OS is not able to handle modern authentication but we are working hard on this. There is currently no ETA but this will be fixed soon.

Thank you,

Cezar

cezarcretu We see now the partner requirements changed somewhat. Don't know when. The way I read it now is MFA for all cloud services, from any device, at any location, no exceptions. So we're now stuck with Surface Hubs and Microsoft Teams Room systems. App passwords work for SfBO and EXO on an MTR, but not Teams.

I'm not the only one seeing the irony of Microsoft forcing partners to use modern authentication and recommending app vendors switch to the graph, while simultaneously not following their own recommendations?

Hell, even ConnectWise Manage has been updated to the graph and modern authentication (did ours over the long weekend).

Hello alankinane485 

As I said, excluding the account based on location would still be an exclusion. Unfortunately at this point I don't have a solution for you. However, this limitation is known and under review by the Surface Hub team. Hopefully we will have a solution sortly

Thank you,

Cezar

alankinane485 does achieve the same thing as CA trusted site bypass but with the ability to use app passwords. Haven't seen (or haven't read clearly enough... more likely) that trusted sites cannot be bypassed for regular users under the partner rule change? Got a link?

We shouldn't have to wait too much longer for Microsoft to pull their finger out and release modern auth for Surface Hubs and MTRs.

Tristan Griffiths Thanks for that.  This will work I'm sure but I don't see how this gets around the MFA requirement.  Can you explain your thoughts on this?

My understanding is that we are not allowed to exclude or bypass any accounts from MFA without exception - although perhaps Microsoft will clarify this in future.  This method just uses the O365 MFA trusted IP address to bypass this CA excluded account.  Is this any different to just using conditional access to bypass based on location for this user?  It just seems like a different method for achieving the same thing to me.

cezarcretu We still have a conditional access policy that will be enforced for any users who are not excluded so only this account is affected.  The issue remains the Microsoft contractual obligation for MFA enforcement for all users.  

Hello Tristan Griffiths,

The problem with this method is that it will apply to all devices behind that public IP 

Thanks

Cezar

alankinane485 Exclude device account from Conditional Access policies. Add corporate IP address to "old" MFA trust list. Set device account MFA to Enabled. Enrol device account to MFA on sign in from another PC so that the account changes to "Enforced".

Unless we're totally thinking about this the wrong way, we believe this fulfils the "MFA for all" even if MFA is bypassed for your corporate IP. Could also use an app password with "old" MFA but we haven't found this to be required.

Hello alankinane485,

It's true, MFA is not supported on the Surface Hub as it will require a human to approve the authentication. Unfortunately I don;t have a solution for you at this point if you are required to have MFA enabled to all accounts. However, this is already under our radar and PG is looking for a solution. No ETA at this point

Thank you,

Cezar