OAuth 2.0 and third-party application ID: Timeline extended to June 30, 2022!
Published Apr 25 2019 10:40 AM 92K Views
Microsoft

New implementation timeline: June 30, 2022

 

To provide our customers with best-in-class security across our services, Microsoft is implementing the use of Microsoft Identity Platform 2.0 (an evolution of the Azure Active Directory identity service) which uses the OAuth 2.0 authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user, through a third-party application ID.

 

This change only impacts Skype for Business IP Phones certified under 3PIP program.

 

Deployment Type

Impact Statement

Skype for Business Online

All phones must be updated and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (With Modern Auth Deployed)

All phones must be updated and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (No Modern Auth)

No Impact

Skype for Business On-Premises No Hybrid

No Impact

 

As result of this change, Skype for Business IP Phone partners have made a code change to embed the partner specific application ID in their firmware. The customer tenant admin will be required to confirm consent to allow the third-party phone application to be granted the necessary permissions (the same permissions currently being used by Skype for Business IP Phones).

 

consent permissions.png

 

Skype for Business IP Phone partners will provide customers with a partner specific consent URL. Customer admin will need to perform a one time, tenant wide (all users), consent per IP Phone partner (i.e. one consent URL for Yealink, one consent URL for Crestron, etc.)

 

Microsoft IP Phone partners will post additional information via their own communication channels, including the firmware version that includes the necessary changes.

 

This change requires customers to perform a 2 step process:

Step 1: Accept permissions request using the consent URL (can be done at any time)

Step 2: Upgrade all impacted phones to the firmware version communicated by the Microsoft IP Phone partners

 

All certified Skype for Business IP phones must be updated by July 15th, 2020 (originally January 15th, 2020). Without the update, successful authentication to Microsoft services on IP Phones will fail. Specifically, signing to the device via web or using a user name/password on the phone will fail. Customers are encouraged to work with their certified Skype for Business IP Phone provider to make the update before the deadline.

134 Comments
Copper Contributor

 

My understanding would be if you are on premise only you do not have worry about having to update your firmware for the Oauth 2.0 as you are would be unaffected it is SFB O365.

 

clipboard_image_0.png

Brass Contributor

No, you would still need to update your firmware and accept the Poly phone agreement.  For MA to work with Skype on prem, it sends your request to Azure STS.

 

https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Hybrid-Modern-Authentication-for-Skyp...

 

So you can use MFA, 3rd party IdP, etc with Skype on-prem.  The issue here is that, if you are doing this, and MFA is only supported with Poly phones using web sign-in, you're kind of stuck because you can't use web sign-in with an on-prem deployment.

Copper Contributor

@oradcliffe  you can actually use Web Sign-In with SfB onprem, please check https://documents.polycom.com/bundle/ucs-sfb-dg-5-9-0/page/c-ucs-sfb-web-sign-in-for-skype-for-busin...

Note: Web Sign In for Skype for Business server supports only when the Hybrid Modern Authentication (HMA) environment is enabled. To use the capability of HMA with Skype for Business On-Premise AAD should be federated with Azure AD. For more information to configure HMA in your environment, refer to Hybrid Modern Authentication for Skype for Business.

Brass Contributor

@Leonardo Mezzanotti - thank you, that slipped my mind.  Makes sense actually.  But that means no third party IdP?  For example, I couldn't have Skype on prem with Okta doing the auth right?  So SfB on prem -> Azure STS -federatedwith-> Okta

Copper Contributor

I do not see an issue by using 3rd party IdPs with Web Sign-In, it should work and VVX should receive the tokens but I'll leave for @Adam Jacobs for confirmation.

I agree @Leonardo Mezzanotti this should work

Copper Contributor

@Adam Jacobs

@Jeff_Schertz ,

Our Polycom Group Series 500 currently have Software Version Release - 6.1.4-400053.

Can you confirm this version is not the good one?

Is 6.2.2.1-600016 a supported one for this change?

clipboard_image_0.png

 Thanks in advance for your feedback.

Regards,

Hans

@Hmerckx 6.2.1.1 includes the new App ID

Iron Contributor

To add some detail:

  • The 6.1 firmware you are using is fine at the moment as it's using the (still supported) legacy authentication.
  • If you upgrade the GS to 6.2.1.1 you'll need to approve the app first, as that version does not support the legacy authentication model.
  • If you do not upgrade the GS firmware then on Jan 15th it will likely stop working with Skype for Business as that's when Microsoft plans to remove the legacy authentication support.
Copper Contributor

Hi @Adam Jacobs & @Jeff_Schertz ,

 

My question was also if the newer version  6.2.2.1-600016 on the Polycom GS 500 will work with the App ID or does it need to be exactly the older 6.2.1.1 that you describe?

FYI, we approved the consent already and other Polycom models we have in use are updated already to the correct software version.

Thanks in advance for your feedback.

 

Regards,

Hans

 

Brass Contributor

Has Microsoft updated their provisioning service to push out ver 5.9.4.3247 for VVX phones? I've consented and have the Poly app showing on Enterprise apps screen.  But my VVX phones are still on 5.9.0.9373.  I use the auto update feature.  Do you know if this will be done prior to Jan 15 2020?

Thanks

Iron Contributor

@Hmerckx Support for app authentication was first added in 6.2.1.1, so any version including this or newer will work now and after Jan.

Copper Contributor

Hi

 

Just received word from MS support that the deadline has been delayed until end of January rather than Jan 15th. Can someone confirm that this is indeed the case.

 

Larry

Iron Contributor

Personally I would plan for the date they have officially communicated, not what someone from support might have told you (even if it's true).  On that note though Microsoft typically waits until after the posted date to perform the change anyway.  Case in point: 3DES support was supposed to be removed from O365 last July and for whatever reason it didn't actually occur until October, so likely there will be some delay on this change in Jan.

 

But that being said, I would not risk it at all.  Get your devices upgrades to the supported versions and the apps approved from all vendors you use ASAP.

Brass Contributor

Just a little over 1 week everyone, don't forget ;) 

Brass Contributor

Thanks for the bump! 

 

https://techcommunity.microsoft.com/t5/skype-for-business-blog/oauth-2-0-and-third-party-application...

 

Is this the latest Polycom version matrix? Can someone share at their convenience? 

Copper Contributor

I have also completed the Poly App approval, it does show in my Azure Enterprise Apps correctly as described above and just today deployed a new Polly com VVX411, after web login, a firmware update notice received and was pushed by SFB Online and the device updated to firmware ver 5.9.0.9373 but no higher....really?  Is Microsoft going to leave us all disconnected after Jan 15th  or do we need to manually disable SFB updates and then  manually update each device?  If anyone has any recent good news, help!

Iron Contributor

@ThiryDB I'll bring this up with Microsoft again.  They should not be pushing a version older than 5.9.4 as this obviously will cause a problem after they remove the current access method.

 

Also, remember that Exchange Online is also impacted as this new app is applicable to anything in Office 365.  So, even if an environment is using SfB Server (w/o Hybrid Modern Authentication in place) if Exchange Online is used to store the phone's mailbox then the new app and new firmware versions must be used.  Otherwise the phone will lose calendar/mailbox access in that scenario.

 

This isn't just about SfB Online; Exchange Online is equally impacted here.

Brass Contributor

@Jeff_Schertz - Our service team is thankful for the delay. My colleague has done additional testing with SfB on-prem with associated Exchange Online mailbox and when we authenticate using web UI username/password (not web sign-in @ aka.ms/sphone), the connection to EXO is using OAuth.

Iron Contributor

Does anyone know when the deadline was shifted to 15 July? Looks like it was done yesterday. We just finished our upgrades and realized that we still have 6 months left)))

Iron Contributor

It was just changed last Friday (1/10).

Iron Contributor

@Tristan Griffiths I believe the 'OAuth' portion of this change is what's causing a bunch of confusion.  Technically, it irrelevant.  What is relevant is that Microsoft originally provided access for 3PIP phones to O365 resources and authentication via a built-in Azure enterprise app which all 3PIP-qualified IP phones from all partners have been using.  They want to change that so that the IP phones will only leverage a new, per-vendor app that customers can manage themselves (provide consent on a per-vendor level, and remove the app if desired).  The fact that OAuth 2.0 and Identity Platform 2.0 are involved is really moot, as there is only one course of action: move to the new app model before they disable the old one. 

 

New firmware versions for impacted devices, once updated, will only use the new app and not the old.  So the process is:

1. Approve the third-party vendor app(s) for the device you have.

2. Update one device to at least minimum supported firmware version, or anything newer.

3. Test.

4. Update all devices so that none remain on older versions which can only use the original app as these will stop working at some point.

 

Once you get there, then it doesn't matter if/when Microsoft performs this change as you'll no longer be leveraging the old app.

Brass Contributor

@Jeff_Schertz was working on the assumption that phones were still using basic auth (no app ID involved) with Office 365 in some scenarios. Your response and our testing makes it clear now what we need to do with our customers and the delay to July is certainly welcome.

 

Copper Contributor

Hi All

 

Can someone please confirm the below for everyone:

 

All certified Skype for Business IP phones must be updated by July 15th, 2020 (originally January 15th, 2020). Without the update, successful authentication to Microsoft services on IP Phones will fail. Specifically, signing to the device via web or using a user name/password on the phone will fail. Customers are encouraged to work with their certified Skype for Business IP Phone provider to make the update before the deadline.

Brass Contributor

@Larry Thomas 

 

That's true only for users hosted on MS cloud. Users hosted on-prem will loose access to their calendar\voicemail from the phone, but they will be able to sign-in.

Iron Contributor

@Larry Thomas 

I'm not sure what you're asking to confirm as that summary is essentially what this entire article is about.  What needs to be done I explained just two responses up from yours.

 

In short: On that date all affected phones will no longer be able to connect to Skype for Business Online or Exchange Online, regardless of the manufacturer, model, firmware version, or authentication method.  Additionally Skype for Business Server deployments which have Hybrid Modern Authentication enabled will also be impacted.

To prevent any connection issues (1) the new app must be approved in the O365 tenant and (2) each device upgraded to the minimum supported firmware version.

Copper Contributor

Ok thanks Jeff

 

I guess my earlier information that I received from MS Support was indeed correct

Copper Contributor

We have already completed the tenant-wide consent.  We have hundreds of Polycom VVX phones on our Skype for Business 100% Online phone system. I am concerned if there are any other actions we need to take .  I assume Microsoft will certify the Poly 5.9.4 version and deploy it to us before the July 15th deadline?? Please advise! 

Copper Contributor

I am curious to know if MS will push back this date given the COVID19 work companies are dealing with.  We are operating under the assumption that the OAuth 2.0 requirement will cause Basic Auth to fail on July 15th for Environments running Skype on-prem, EXO, and Poly handsets for EWS functionality.  

Iron Contributor

@jbishop0511 Most likely the SfB Online Device Updates services will be disabled prior to that event to prevent any incorrect versions being pushed back onto phones which would then break registration on them.

 

@kevinmoran Regardless of whether Microsoft moves the date back or not you shouldn't be running outdated firmware on your phones.  Any firmware releases from 5.9.4 and newer (including 6.x) can only connect to Office 365 using the app model so once they are upgraded and the app is approved in the tenant then it's moot when Microsoft removes the legacy method.

Microsoft

Due to current situation, this change has been postponed until further notice. Original post has been updated with this notification. 

Copper Contributor

Hi @Jeff_Schertz 

Do you know why Microsoft publishes older firmware versions on their website than the ones we should use on our phone in order to be compliant for the upcoming changes (whenever that will be)?

Source: https://docs.microsoft.com/en-us/skypeforbusiness/certification/devices-ip-phones#desk-phones

 

Thanks for your feedback! 

Iron Contributor

CX5500 firmware has just been released (1.3.5) which includes support for the new third-party app.

https://support.polycom.com/content/support/north-america/usa/en/support/voice/cx/cx5100.html

Microsoft

Timeline extended to June 30, 2022! 

Co-Authors
Version history
Last update:
‎Jun 07 2021 10:59 AM
Updated by: