Home

Conditional Access and the SurfaceHub

%3CLINGO-SUB%20id%3D%22lingo-sub-74665%22%20slang%3D%22en-US%22%3EConditional%20Access%20and%20the%20SurfaceHub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-74665%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Folks%2C%20just%20wanted%20to%20check%20if%20anyone%20has%20experienced%20problems%20with%20using%20O365%20on%20SurfaceHubs%20whilst%20having%20Conditional%20Access%20in%20place%3F%26nbsp%3B%20We%20are%20using%20O365%20and%20Enterprise%20Mobility%20%2B%20Security%20suite%2C%20and%20various%20policies%20in%20place%20which%20require%20a%20form%20of%20compliance%20and%20Domain%2FWorkplace%20join...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20we've%20set-up%20the%20SurfaceHub%20with%20device%20account%20which%20is%20licensed%20for%20Skype%20for%20Business%20(Plan%202)%20and%20using%20Domain%20security%20groups%20for%20access%20to%20Settings%2C%20etc%20so%20it's%20recognised%20by%20the%20Domain%20Services.%26nbsp%3B%20But%20when%20going%20into%20O365%2C%20we%20get%20'you%20can't%20get%20there%20from%20here'%20ERROR%20message.%26nbsp%3B%20We've%20an%20open%20ticket%20with%20Microsoft%20Premier%20Support%20but%20if%20anyone%20has%20any%20insights%2C%20it'd%20be%20greatly%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190381%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20the%20SurfaceHub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190381%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20the%20latest%20update%20of%20Intune%20(April%2023th)%20it%20looks%20like%20the%20Surface%20Hub%26nbsp%3Bis%20now%20supported%20for%20conditional%20access%2C%20but%20exact%20details%20are%20not%20clear%20to%20me%20(yet)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwhats-new%23support-for-user-less-devices-%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwhats-new%23support-for-user-less-devices-%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190176%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20the%20SurfaceHub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190176%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20finally%20got%20some%20awesome%2C%20terrible%20news%20on%20this%20matter%20this%20week.%26nbsp%3B%20The%20Surface%20Hubs%2C%20when%20connected%20to%20AD%20DS%2C%20and%20using%20Intune%20for%20Device%20Compliance%2C%20or%20even%20the%20Hybrid-Azure%20AD%20Joined%20CA%20requirement%2C%20will%20show%20as%20not%20compliant%20for%20everyone%20except%20the%20account%20that%20is%20joined%20as%20the%20MDM%20account.%26nbsp%3B%20The%20support%20team%20told%20me%20that%20the%20Surface%20Hubs%20are%20built%20on%20RS2%20of%20Windows%2010%2C%20and%20the%20only%20way%20those%20devices%20will%20be%20shown%20as%20compliant%20in%20a%20CA%20policy%2C%20consistently%2C%20is%20to%20Azure%20AD%20join%20them.%26nbsp%3B%20The%20problem%20we%20have%2C%20well%20the%20main%20concern%20out%20of%20the%2010%2B%20reasons%20not%20to%20do%20this%20for%20us%2C%20is%20that%20now%20we%20have%20to%20look%20at%20opening%20the%20up%20the%20Azure%20AD%20Device%20Administrators%20Role%2C%20for%20a%20handful%20of%20these%20devices.%26nbsp%3B%20Terrible%20solution.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190102%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20the%20SurfaceHub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190102%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20having%20exactly%20the%20same%20issue.%3C%2FP%3E%3CP%3EWe%20learned%20that%20the%20only%20way%20to%20get%20it%20to%20work%20is%20exclude%20the%20IP-address%20from%20requiring%20to%20use%20a%20compliant%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20multiple%20of%20these%20devices%20so%20I%20tried%20multiple%20scenario's.%3C%2FP%3E%3CP%3EOur%20environment%20is%20having%20an%20on%20premise%20AD%20synced%20with%20ADConnect%20towards%20O365.%3C%2FP%3E%3CP%3EExchange%20%26amp%3B%20Skype%20running%20in%20the%20cloud.%3C%2FP%3E%3CP%3EConditional%20access%20enabled%20via%20Intune.%3C%2FP%3E%3CP%3EOn%20premise%20ADFS%20used%20for%20authentication%20of%20federated%20accounts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20worked%3A%3C%2FP%3E%3CP%3E-Join%20the%20Surface%20HUB%20in%20the%20on%20premise%20AD%20and%20assign%20the%20proper%20licenses%20to%20the%20account%20(synced%20with%20ADconnect)%3C%2FP%3E%3CP%3E-Join%20the%20Surface%20HUB%20in%20Azure%20AD%20only%20with%20an%20unfederated%20account%20and%20also%20assign%20the%20licenses.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20device%20logs%20on%20and%20show%20up%20in%20Skype%20in%20both%20scenario's.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELogging%20as%20user%20(show%20my%20meeting%2Ffiles)%20doesn't%20work%20-%26gt%3B%20you%20get%20the%20mentioned%20error%20message.%3C%2FP%3E%3CP%3EExcluding%20the%20device%20via%20it's%20IPaddress%20in%20CA%20and%20then%20everything%20works%20(for%20both%20join%20types).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20how%20to%20make%20the%20device%20trusted%20(Compliant)%26nbsp%3Bhowever%20in%20Intune%20so%20we%20don't%20have%20to%20go%20the%20IP-exclusion%20route%2C%20as%20IP-exclusion%20scenario's%20look%20very%20outdated%20and%20don't%20work%26nbsp%3Bin%20our%20case%20using%20a%20cloud%20based%20proxy%20in%20between%20with%20dynamic%20addressing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3EFrank%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176498%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20the%20SurfaceHub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176498%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20you%20had%20any%20luck%20yet%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-101689%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20the%20SurfaceHub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-101689%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Anthony%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20this%20exact%20same%20issue.%20Exchange%20Online%20protected%20with%20Intune%20conditional%20access%2C%20which%20seems%20to%20prevent%20anyone%20using%20the%20Office%20365%20welcome%20screen%20sign-in.%20Surface%20Hub%20is%20domain%20joined%20(local%20AD%20not%20Azure%20AD).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERasied%20this%20issue%20with%20premier%20support%20over%202%20months%20ago%20has%20been%20passed%20over%20the%20the%20elusive%20'product%20group'.%20Zero%20response%20so%20far.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20manage%20to%20get%20this%20working%20at%20all%20or%20are%20you%20still%20waiting%20on%20a%20resolution%20from%20Microsfot%20also%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EArian%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Anthony Wicks
New Contributor

Hi Folks, just wanted to check if anyone has experienced problems with using O365 on SurfaceHubs whilst having Conditional Access in place?  We are using O365 and Enterprise Mobility + Security suite, and various policies in place which require a form of compliance and Domain/Workplace join...

 

However, we've set-up the SurfaceHub with device account which is licensed for Skype for Business (Plan 2) and using Domain security groups for access to Settings, etc so it's recognised by the Domain Services.  But when going into O365, we get 'you can't get there from here' ERROR message.  We've an open ticket with Microsoft Premier Support but if anyone has any insights, it'd be greatly appreciated!

5 Replies

Hi Anthony,

 

I have this exact same issue. Exchange Online protected with Intune conditional access, which seems to prevent anyone using the Office 365 welcome screen sign-in. Surface Hub is domain joined (local AD not Azure AD).

 

Rasied this issue with premier support over 2 months ago has been passed over the the elusive 'product group'. Zero response so far.

 

Did you manage to get this working at all or are you still waiting on a resolution from Microsfot also?

 

Thanks

 

Arian

Have you had any luck yet? 

We are having exactly the same issue.

We learned that the only way to get it to work is exclude the IP-address from requiring to use a compliant device.

 

We have multiple of these devices so I tried multiple scenario's.

Our environment is having an on premise AD synced with ADConnect towards O365.

Exchange & Skype running in the cloud.

Conditional access enabled via Intune.

On premise ADFS used for authentication of federated accounts.

 

What worked:

-Join the Surface HUB in the on premise AD and assign the proper licenses to the account (synced with ADconnect)

-Join the Surface HUB in Azure AD only with an unfederated account and also assign the licenses.

 

The device logs on and show up in Skype in both scenario's.

 

Logging as user (show my meeting/files) doesn't work -> you get the mentioned error message.

Excluding the device via it's IPaddress in CA and then everything works (for both join types).

 

I'm looking how to make the device trusted (Compliant) however in Intune so we don't have to go the IP-exclusion route, as IP-exclusion scenario's look very outdated and don't work in our case using a cloud based proxy in between with dynamic addressing.

 

Cheers,

Frank

 

So I finally got some awesome, terrible news on this matter this week.  The Surface Hubs, when connected to AD DS, and using Intune for Device Compliance, or even the Hybrid-Azure AD Joined CA requirement, will show as not compliant for everyone except the account that is joined as the MDM account.  The support team told me that the Surface Hubs are built on RS2 of Windows 10, and the only way those devices will be shown as compliant in a CA policy, consistently, is to Azure AD join them.  The problem we have, well the main concern out of the 10+ reasons not to do this for us, is that now we have to look at opening the up the Azure AD Device Administrators Role, for a handful of these devices.  Terrible solution. 

With the latest update of Intune (April 23th) it looks like the Surface Hub is now supported for conditional access, but exact details are not clear to me (yet):

 

https://docs.microsoft.com/en-us/intune/whats-new#support-for-user-less-devices-

 

 

 

 

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies