Home
Microsoft

To provide our customers with best-in-class security across our services, Microsoft is implementing the use of Microsoft Identity Platform 2.0 (an evolution of the Azure Active Directory identity service) which uses the OAuth 2.0 authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user, through a third-party application ID.

 

This change only impacts Skype for Business IP Phones certified under 3PIP program.

 

Deployment Type

Impact Statement

Skype for Business Online

All phones must be updated and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (With Modern Auth Deployed)

All phones must be updated and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (No Modern Auth)

No Impact

Skype for Business On-Premises No Hybrid

No Impact

 

As result of this change, Skype for Business IP Phone partners have made a code change to embed the partner specific application ID in their firmware. The customer tenant admin will be required to confirm consent to allow the third-party phone application to be granted the necessary permissions (the same permissions currently being used by Skype for Business IP Phones).

 

consent permissions.png

 

Skype for Business IP Phone partners will provide customers with a partner specific consent URL. Customer admin will need to perform a one time, tenant wide (all users), consent per IP Phone partner (i.e. one consent URL for Yealink, one consent URL for Crestron, etc.)

 

Microsoft IP Phone partners will post additional information via their own communication channels, including the firmware version that includes the necessary changes.

 

This change requires customers to perform a 2 step process:

Step 1: Accept permissions request using the consent URL (can be done at any time)

Step 2: Upgrade all impacted phones to the firmware version communicated by the Microsoft IP Phone partners

 

All certified Skype for Business IP phones must be updated by January 15, 2020. Without the update, successful authentication to Microsoft services on IP Phones will fail. Specifically, signing to the device via web or using a user name/password on the phone will fail. Customers are encouraged to work with their certified Skype for Business IP Phone provider to make the update before the deadline.

32 Comments

Could this be clarified if it's actually for Skype for Business Online only - based on the explanation, assume Skype for Business is actually unaffected (i.e. the on-prem one)?

Will it be the same app / consent grant for all phones, or specific per provider? Can you provide the link?

@Tom Morgan each phone parntner has to create thier own App ID and the admin has to grant permission for all.

 

@Adam Fowler only if you conifgured oAuth for onprem also.

Contributor

Suggestion:  instead of publishing an article giving a brief synopsis of something that will be "effective immediately" and "if you don't do this by 'X' date, logins will fail", include the pertinent information for IT Professionals and Service Owners to act accordingly.

 

  • What firmware versions are required per vendor?
  • Are AppIDs per vendor, per phone model, or other?
  • What S4B topologies does this impact?
  • How does this apply to ExO, specifically regarding Web Services access.
  • How are the AppIDs configured and added to the Office365 tenant/Azure AD?
  • How does this impact LPE devices or non 3PIP devices?

I cannot emphasize how frustrating it is for customers (and partners) to receive messaging from the PG like this - which causes an immediate knee-jerk reaction - and then have to sift through subsequent communications for pertinent details on implementation.

 

Measure twice, cut once - you're doing us all (including yourselves) a favor.

Hi Folks, some more background on this article here

 

Senior Member

Audiocodes will have a new firmware available shortly

 

Tom Arbuthnot has done good post here explaining the change, with links to each vendor as they release the firmware  https://tomtalks.blog/2019/04/all-skype-for-business-ip-phones-must-be-firmware-updated-by-july-1st-...

Occasional Visitor
Our Polycom phones firmware is currently managed by Microsoft directly (we don't have our own provision server). Will Microsoft be releasing the new firmware for our phones so these update automatically?
Microsoft

@ElectroRich Yes, we will post the Polycom firmware as soon as it is available. 

Occasional Contributor

Will Microsoft push the release out to Polycom phones (automatic update) or will you just post a link?  We use Microsoft as the provisioning server and they normally only push out the major release # 5.7, 5.8, 5.9.  My understanding is the update will be 5.9.3.

 

Thanks


@Diana_Vank wrote:

To provide our customers with best-in-class security across our services, Microsoft is implementing the use of Microsoft Identity Platform 2.0 (an evolution of the Azure Active Directory identity service) which uses the OAuth 2.0 authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user, through a third-party application ID.

 

This change only impacts Skype for Business IP Phones certified under 3PIP program.

 

Deployment Type

Impact Statement

Skype for Business Online

All phones must be updated by July 1st and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (With Modern Auth Deployed)

All phones must be updated by July 1st and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (No Modern Auth)

No Impact

Skype for Business On-Premises No Hybrid

No Impact

 

As result of this change, Skype for Business IP Phone partners have made a code change to embed the partner specific application ID in their firmware. The customer tenant admin will be required to confirm consent to allow the third-party phone application to be granted the necessary permissions (the same permissions currently being used by Skype for Business IP Phones).

 

consent permissions.png

 

Skype for Business IP Phone partners will provide customers with a partner specific consent URL. Customer admin will need to perform a one time, tenant wide (all users), consent per IP Phone partner (i.e. one consent URL for Yealink, one consent URL for Crestron, etc.)

 

Microsoft IP Phone partners will post additional information via their own communication channels, including the firmware version that includes the necessary changes.

 

This change requires customers to perform a 2 step process:

Step 1: Accept permissions request using the consent URL (can be done at any time)

Step 2: Upgrade all impacted phones to the firmware version communicated by the Microsoft IP Phone partners

 

All certified Skype for Business IP phones must be updated by July 1st, 2019. Without the update, successful authentication to Microsoft services on IP Phones will fail. Specifically, signing to the device via web or using a user name/password on the phone will fail. Customers are encouraged to work with their certified Skype for Business IP Phone provider to make the update before the deadline.


 

Microsoft

Official posts which includes the partner specific consent URL:

Crestron

AudioCodes

Yealink

Poly

Regular Visitor

@Diana_Vank Trying to settle a discussion with some of our team. The discussion is whether basic authentication to Office 365 will be unaffected by Microsoft's OAuth/AppID change.

 

On a Poly(com) VVX/Trio UC device when authenticating to Office 365:

1. Modern Auth is used by the "Web Sign-In" feature and https://aka.ms/sphone application.

2. Basic Auth is used when entering credentials via the web browser/server interface option Settings->Skype for Business Sign-in.

 

After a firmware update to 5.9.3+, we're expecting devices using method #1 will be forcibly signed-out and users will be required to re-authenticate (with administrator approval of new appID) --- CONFIRMED https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/OAuth-2-0-and-third-party-application...

 

We're expecting nothing will change with method #2 (phones happily keep basic auth-ing).

 

Does this sound correct? If not, will edit/remove this post so that false info isn't out there :)

Frequent Visitor
Any update on the Polycom VVX and Trio firmware’s? I see Polycom UC Software 6.0.0.4796 already available on their website. This versioning seems greater than the “5.9.3” posted above. Does that mean it’ll work with Microsoft’s Modern Auth/ OAuth 2.0 changes post-July 1st?

Hi All,

 

Some more updates from Poly (Polycom).

1. We're working with Microsoft to push the new UCS builds (via Skype for Business Online Update) that incorporate the new App ID.

2. We have an official announcement coming hopefully by the end of this week. Refer to my blog in the interim for updates.

3. Initial testing suggests the users will not be logged out when the upgrade is completed, provided the consent is performed prior to roll-out and before the cut-off date.

 

I hope this helps!

 

- Adam

Regular Visitor

@phake Don't think 6.0.0 has the App ID change. Also note support for many older VVX models ends with 6.0.0 - http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html

Version guidance below

Device name Software Version Timeline
VVX Phones 5.9.3 Mid-May
Poly Trio 5.9.0 Rev AB Mid-May
Group Series 6.2.1.1 Mid-June
Frequent Visitor

@Tristan Griffithsand @Adam Jacobs - 6.0.0.4796 is confusing as you'd think it would logically have the App ID changes. Very confusing! I'll wait for 5.9.3.

 

We currently have Skype on-premise (Modern Auth) enabled and Exchange Online (Modern Auth enabled) for some users and our VVX 501's are working. EWS is not - will 5.9.3 save the day in that regard?

Hi @phake totally understand the confusion, 6.x is part of a different fork which is yet to be certified for Skype for Business (which is why this is not published on the Skype for Business VVX f/w page). 6.x will be certified in the future though, stay tuned.

 

Regarding the issue you're having, this is not expected and should work with the existing App ID. Please raise a support ticket and we can dig into this further.

 

Occasional Visitor

One big problem with this is we now have to assess Polycom as a sub processor of data because consenting to the app permissions gives the app full access to all users mailboxes, which could lead to data breach if the polycom service and app is breached. How can we ensure the app is secure and how do we get validation the app will not explore, use or digest information in users mailboxes.

Regular Visitor

@Graham705 ideally Polycom/Crestron/AudioCodes/Yealink would link to a terms and conditions/privacy document. Looks like they have opted to not provide one.

Capture.PNG

Occasional Visitor

@Tristan Griffiths  Yeah, hence why no one should accept this. You are giving the app full mailbox access to every user. Without a contract in place with the app vendor or a suitable privacy and terms of use policy, most companies should not allow this access. Microsoft need to address this. It would be fine if the app only needed access to read and write calendar events but allowing full mailbox access gives way to significant risk of data breach.

Frequent Visitor

Ah, thanks so much for the clarification @Adam Jacobs. !

 

RE: current VVX 501's and our recent Skype for Business on-premise enabling of HMA, I'm digging into the VVX 501 logs to find out why it's not allowing the EWS + OAuth magic, and will put in a Polycom ticket. Thanks. Any links or obvious config I'm making will greatly help 300+ people!

Hi All, official tech advisory published by Poly here 

Microsoft

Please note deadline change in the original post, now January 15, 2020

Occasional Contributor

So to confirm the firmware update is no longer required by July 1, 2019 but rather January 15th. Is that correct?

Microsoft

@Larry Thomas correct!

Folks - minor update to a statement I made above:

 

Hi All,

 

Some more updates from Poly (Polycom).

1. We're working with Microsoft to push the new UCS builds (via Skype for Business Online Update) that incorporate the new App ID.

2. We have an official announcement coming hopefully by the end of this week. Refer to my blog in the interim for updates.

3. Initial testing suggests the users will not be logged out when the upgrade is completed, provided the consent is performed prior to roll-out and before the cut-off date. <- the latter is only true for users that signed-in locally on the device. For users that signed-in with Web Sign-in they will be logged out, this is due to the fact that their credentials are not cached on the device and so tokens cannot be renewed without intervention

 

I hope this helps!

 

- Adam

Occasional Visitor

As this shift into using an AppID seems to be inline with OAuth authentication in general, does this mean that devices should not have to re-authenticate when a user password has expired/changed as it'll be using a token created specifically for that User/AppID at time of sign in?

 

I noticed @Graham705 comment on mailbox access.  I suspect this is required for the voicemail access due to how the devices access/manage the voicemail. Is that correct?  My understanding is that while you are granting the AppID access to mailboxes as the signed in user, it would mean that the device would only have access to the mailbox that user has access to, not ever mailbox on the platform (unless that user has that level of access).

 

Cheers

Occasional Visitor

@Diana_Vank Which post does mention about date moved to Janurary 15th?

Occasional Visitor

@msabatThe main post at the top has had the date changed, and now marked in bold.

Occasional Visitor

"Specifically, signing to the device via web or using a user name/password on the phone will fail."

 

I’d be curious to learn whether that goes for PIN authentication as well.

Regular Visitor

@msabatExtension+PIN authentication is unaffected. Only authentications using ADAL/Modern Auth/OAuth are affected.