OAuth 2.0 and third-party application ID: Timeline extended to June 30, 2022!
Published Apr 25 2019 10:40 AM 91.8K Views
Microsoft

New implementation timeline: June 30, 2022

 

To provide our customers with best-in-class security across our services, Microsoft is implementing the use of Microsoft Identity Platform 2.0 (an evolution of the Azure Active Directory identity service) which uses the OAuth 2.0 authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user, through a third-party application ID.

 

This change only impacts Skype for Business IP Phones certified under 3PIP program.

 

Deployment Type

Impact Statement

Skype for Business Online

All phones must be updated and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (With Modern Auth Deployed)

All phones must be updated and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (No Modern Auth)

No Impact

Skype for Business On-Premises No Hybrid

No Impact

 

As result of this change, Skype for Business IP Phone partners have made a code change to embed the partner specific application ID in their firmware. The customer tenant admin will be required to confirm consent to allow the third-party phone application to be granted the necessary permissions (the same permissions currently being used by Skype for Business IP Phones).

 

consent permissions.png

 

Skype for Business IP Phone partners will provide customers with a partner specific consent URL. Customer admin will need to perform a one time, tenant wide (all users), consent per IP Phone partner (i.e. one consent URL for Yealink, one consent URL for Crestron, etc.)

 

Microsoft IP Phone partners will post additional information via their own communication channels, including the firmware version that includes the necessary changes.

 

This change requires customers to perform a 2 step process:

Step 1: Accept permissions request using the consent URL (can be done at any time)

Step 2: Upgrade all impacted phones to the firmware version communicated by the Microsoft IP Phone partners

 

All certified Skype for Business IP phones must be updated by July 15th, 2020 (originally January 15th, 2020). Without the update, successful authentication to Microsoft services on IP Phones will fail. Specifically, signing to the device via web or using a user name/password on the phone will fail. Customers are encouraged to work with their certified Skype for Business IP Phone provider to make the update before the deadline.

133 Comments
Iron Contributor

Could this be clarified if it's actually for Skype for Business Online only - based on the explanation, assume Skype for Business is actually unaffected (i.e. the on-prem one)?

Will it be the same app / consent grant for all phones, or specific per provider? Can you provide the link?

@Tom Morgan each phone parntner has to create thier own App ID and the admin has to grant permission for all.

 

@Adam Fowler only if you conifgured oAuth for onprem also.

Iron Contributor

Suggestion:  instead of publishing an article giving a brief synopsis of something that will be "effective immediately" and "if you don't do this by 'X' date, logins will fail", include the pertinent information for IT Professionals and Service Owners to act accordingly.

 

  • What firmware versions are required per vendor?
  • Are AppIDs per vendor, per phone model, or other?
  • What S4B topologies does this impact?
  • How does this apply to ExO, specifically regarding Web Services access.
  • How are the AppIDs configured and added to the Office365 tenant/Azure AD?
  • How does this impact LPE devices or non 3PIP devices?

I cannot emphasize how frustrating it is for customers (and partners) to receive messaging from the PG like this - which causes an immediate knee-jerk reaction - and then have to sift through subsequent communications for pertinent details on implementation.

 

Measure twice, cut once - you're doing us all (including yourselves) a favor.

Hi Folks, some more background on this article here

 

Iron Contributor

Audiocodes will have a new firmware available shortly

 

Tom Arbuthnot has done good post here explaining the change, with links to each vendor as they release the firmware  https://tomtalks.blog/2019/04/all-skype-for-business-ip-phones-must-be-firmware-updated-by-july-1st-...

Copper Contributor
Our Polycom phones firmware is currently managed by Microsoft directly (we don't have our own provision server). Will Microsoft be releasing the new firmware for our phones so these update automatically?
Microsoft

@ElectroRich Yes, we will post the Polycom firmware as soon as it is available. 

Brass Contributor

Will Microsoft push the release out to Polycom phones (automatic update) or will you just post a link?  We use Microsoft as the provisioning server and they normally only push out the major release # 5.7, 5.8, 5.9.  My understanding is the update will be 5.9.3.

 

Thanks


@Diana_Vank wrote:

To provide our customers with best-in-class security across our services, Microsoft is implementing the use of Microsoft Identity Platform 2.0 (an evolution of the Azure Active Directory identity service) which uses the OAuth 2.0 authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user, through a third-party application ID.

 

This change only impacts Skype for Business IP Phones certified under 3PIP program.

 

Deployment Type

Impact Statement

Skype for Business Online

All phones must be updated by July 1st and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (With Modern Auth Deployed)

All phones must be updated by July 1st and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (No Modern Auth)

No Impact

Skype for Business On-Premises No Hybrid

No Impact

 

As result of this change, Skype for Business IP Phone partners have made a code change to embed the partner specific application ID in their firmware. The customer tenant admin will be required to confirm consent to allow the third-party phone application to be granted the necessary permissions (the same permissions currently being used by Skype for Business IP Phones).

 

consent permissions.png

 

Skype for Business IP Phone partners will provide customers with a partner specific consent URL. Customer admin will need to perform a one time, tenant wide (all users), consent per IP Phone partner (i.e. one consent URL for Yealink, one consent URL for Crestron, etc.)

 

Microsoft IP Phone partners will post additional information via their own communication channels, including the firmware version that includes the necessary changes.

 

This change requires customers to perform a 2 step process:

Step 1: Accept permissions request using the consent URL (can be done at any time)

Step 2: Upgrade all impacted phones to the firmware version communicated by the Microsoft IP Phone partners

 

All certified Skype for Business IP phones must be updated by July 1st, 2019. Without the update, successful authentication to Microsoft services on IP Phones will fail. Specifically, signing to the device via web or using a user name/password on the phone will fail. Customers are encouraged to work with their certified Skype for Business IP Phone provider to make the update before the deadline.


 

Microsoft

Official posts which includes the partner specific consent URL:

Crestron

AudioCodes

Yealink

Poly

Brass Contributor

@Diana_Vank Trying to settle a discussion with some of our team. The discussion is whether basic authentication to Office 365 will be unaffected by Microsoft's OAuth/AppID change.

 

On a Poly(com) VVX/Trio UC device when authenticating to Office 365:

1. Modern Auth is used by the "Web Sign-In" feature and https://aka.ms/sphone application.

2. Basic Auth is used when entering credentials via the web browser/server interface option Settings->Skype for Business Sign-in.

 

After a firmware update to 5.9.3+, we're expecting devices using method #1 will be forcibly signed-out and users will be required to re-authenticate (with administrator approval of new appID) --- CONFIRMED https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/OAuth-2-0-and-third-party-application...

 

We're expecting nothing will change with method #2 (phones happily keep basic auth-ing).

 

Does this sound correct? If not, will edit/remove this post so that false info isn't out there :)

Brass Contributor
Any update on the Polycom VVX and Trio firmware’s? I see Polycom UC Software 6.0.0.4796 already available on their website. This versioning seems greater than the “5.9.3” posted above. Does that mean it’ll work with Microsoft’s Modern Auth/ OAuth 2.0 changes post-July 1st?

Hi All,

 

Some more updates from Poly (Polycom).

1. We're working with Microsoft to push the new UCS builds (via Skype for Business Online Update) that incorporate the new App ID.

2. We have an official announcement coming hopefully by the end of this week. Refer to my blog in the interim for updates.

3. Initial testing suggests the users will not be logged out when the upgrade is completed, provided the consent is performed prior to roll-out and before the cut-off date.

 

I hope this helps!

 

- Adam

Brass Contributor

@phake Don't think 6.0.0 has the App ID change. Also note support for many older VVX models ends with 6.0.0 - http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html

Version guidance below

Device name Software Version Timeline
VVX Phones 5.9.3 Mid-May
Poly Trio 5.9.0 Rev AB Mid-May
Group Series 6.2.1.1 Mid-June
Brass Contributor

@Tristan Griffithsand @Adam Jacobs - 6.0.0.4796 is confusing as you'd think it would logically have the App ID changes. Very confusing! I'll wait for 5.9.3.

 

We currently have Skype on-premise (Modern Auth) enabled and Exchange Online (Modern Auth enabled) for some users and our VVX 501's are working. EWS is not - will 5.9.3 save the day in that regard?

Hi @phake totally understand the confusion, 6.x is part of a different fork which is yet to be certified for Skype for Business (which is why this is not published on the Skype for Business VVX f/w page). 6.x will be certified in the future though, stay tuned.

 

Regarding the issue you're having, this is not expected and should work with the existing App ID. Please raise a support ticket and we can dig into this further.

 

Copper Contributor

One big problem with this is we now have to assess Polycom as a sub processor of data because consenting to the app permissions gives the app full access to all users mailboxes, which could lead to data breach if the polycom service and app is breached. How can we ensure the app is secure and how do we get validation the app will not explore, use or digest information in users mailboxes.

Brass Contributor

@Graham705 ideally Polycom/Crestron/AudioCodes/Yealink would link to a terms and conditions/privacy document. Looks like they have opted to not provide one.

Capture.PNG

Copper Contributor

@Tristan Griffiths  Yeah, hence why no one should accept this. You are giving the app full mailbox access to every user. Without a contract in place with the app vendor or a suitable privacy and terms of use policy, most companies should not allow this access. Microsoft need to address this. It would be fine if the app only needed access to read and write calendar events but allowing full mailbox access gives way to significant risk of data breach.

Brass Contributor

Ah, thanks so much for the clarification @Adam Jacobs. !

 

RE: current VVX 501's and our recent Skype for Business on-premise enabling of HMA, I'm digging into the VVX 501 logs to find out why it's not allowing the EWS + OAuth magic, and will put in a Polycom ticket. Thanks. Any links or obvious config I'm making will greatly help 300+ people!

Hi All, official tech advisory published by Poly here 

Microsoft

Please note deadline change in the original post, now January 15, 2020

Copper Contributor

So to confirm the firmware update is no longer required by July 1, 2019 but rather January 15th. Is that correct?

Microsoft

@Larry Thomas correct!

Folks - minor update to a statement I made above:

 

Hi All,

 

Some more updates from Poly (Polycom).

1. We're working with Microsoft to push the new UCS builds (via Skype for Business Online Update) that incorporate the new App ID.

2. We have an official announcement coming hopefully by the end of this week. Refer to my blog in the interim for updates.

3. Initial testing suggests the users will not be logged out when the upgrade is completed, provided the consent is performed prior to roll-out and before the cut-off date. <- the latter is only true for users that signed-in locally on the device. For users that signed-in with Web Sign-in they will be logged out, this is due to the fact that their credentials are not cached on the device and so tokens cannot be renewed without intervention

 

I hope this helps!

 

- Adam

Steel Contributor

As this shift into using an AppID seems to be inline with OAuth authentication in general, does this mean that devices should not have to re-authenticate when a user password has expired/changed as it'll be using a token created specifically for that User/AppID at time of sign in?

 

I noticed @Graham705 comment on mailbox access.  I suspect this is required for the voicemail access due to how the devices access/manage the voicemail. Is that correct?  My understanding is that while you are granting the AppID access to mailboxes as the signed in user, it would mean that the device would only have access to the mailbox that user has access to, not ever mailbox on the platform (unless that user has that level of access).

 

Cheers

Brass Contributor

@Diana_Vank Which post does mention about date moved to Janurary 15th?

Steel Contributor

@msabatThe main post at the top has had the date changed, and now marked in bold.

Brass Contributor

"Specifically, signing to the device via web or using a user name/password on the phone will fail."

 

I’d be curious to learn whether that goes for PIN authentication as well.

Brass Contributor

@msabatExtension+PIN authentication is unaffected. Only authentications using ADAL/Modern Auth/OAuth are affected.

Brass Contributor

@Tristan Griffiths so also anywhere EWS is needed and Oauth is used with EWS.

Brass Contributor

@oradcliffe yes, if you're signing on to the device using web sign-in (code + https://aka.ms/sphone).

 

(we'll ignore that we can override Exchange authentication via provisioning file)

Brass Contributor

@Tristan Griffiths oauth is used a bunch of other places, not just web sign in.  This change I believe will affect anything where the phone needs oauth authorization.  We've got web sign in, EWS, even username/pass sign in to an on prem SfB environment if that environment uses Azure STS for auth.

Brass Contributor

@oradcliffe

username/pass+SfBO+EXO - basic auth

web sign-in+SfBO+EXO - modern auth/oauth

username/pass+SfB+EX on-prem - negotiate (ntlm) or basic

web sign-in+SFB+EX on-prem - modern auth/oauth (think this is now supported)

 

That's my understanding anyway. There would be other more complex arrangements with ADFS and hybrid environments but that hurts my head to think about.

Brass Contributor

@Tristan Griffiths that is about right yeah, but don't forget you can enable OAuth in ExO and SfBO, as well as SfB on prem.  You can also disable basic auth in your O365 tenant, and then you'd be either using OAuth or just failing to sign in :)

Brass Contributor
@oradcliffe Yup, with basic auth disabled in SfBO or EXO, only web sign-in (https://aka.ms/sphone) will work.
Brass Contributor

@Tristan Griffiths that's not entirely true.  I can set up, for one example, Skype on prem to use Oauth with Azure as the token signer.  I could then disable basic auth in my tenant and still use username/pass with my on prem deployment, and that would use OAuth via Azure.

Brass Contributor

@oradcliffe Would your scenario include ADFS? Just trying to think what mechanisms that would permit getting that OAuth token from the on-prem/azure environment given a username/pass.

 

(my comment should have been "SfBO and EXO" to be more accurate)

Steel Contributor

Anybody notice devices such as the Polycom Centro or any of the Polycom Group Series devices running 6.2 suddenly stop working?

 

2019-07-02 15:43:32.305 WARNING  logcat: hd[0]: System.err(2405): com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'a850aaae-d5a5-4e82-877c-ce54ff916282' named 'Polycom - Skype for Business Certified Phone'. Send an interactive authorization request for this user and resource.\r\nTrace ID: d9f50d5c-688f-4fb4-a9f9-26fe73281b00\r\nCorrelation ID: 976c1c4d-d9fa-4780-a398-6623f173b46a\r\nTimestamp: 2019-07-02 15:43:33Z","error":"invalid_grant"}

This seems to have broken inline with the original date, not their new date.

Hi @jangliss the last upgrade for Group Series requires that the organization performs consent prior to upgrading. It seems this has not happened. Refer to notes here.

 

Notes

 

  • Microsoft has announced changes related to the Microsoft Online device registration requirement. These changes affect RealPresence Group Series systems registered for Skype for Business accounts. Before upgrading your Microsoft environment RealPresence Group Series system to 6.2.1.1, see the Technical Advisory for specific changes and actions required.

- Adam

Copper Contributor

@Adam Jacobs

Is there any harm to consenting to the Polycom App ID right now in our tenant, and will consenting affect current VVXs and Lync phone edition devices?  I assume the consent needs to happen before the devices are auto upgraded by MS to the supported firmware?  Is this still the correct timeline for the firmware releases that will be pushed down to the devices?

 

VVX - 5.9.4 (Q4 Calendar Year 2019

Trio - 5.9.1AA (August 2019)

 

I am still unclear on whether people will be logged out of their phones after the consent and firmware updates.  We have a mix where some are logged in via web sign-in and others with BTOE integration.

 

Thanks for the help and advice!

 

 

There is no harm performing consent against your tenant, existing devices will not be impacted. Testing suggests that the upgrade process will not sign out the device unless a subsequent downgrade is performed. Dates will be more detailed once we have a release vehicle we have an HMA issue we're tracking.

Copper Contributor

@Adam Jacobs 

Thank you for the help!  Is there a recommended route to the firmware updates?  Currently we have devices updating automatically, but normally, is the process where Polycom will release the update and can be downloaded/installed manually on the phone to test?  I assume that Microsoft will not automatically approve that firmware version and push it down to devices right when Polycom releases it?

@myry1 refer to support.polycom.com for manual updates, Microsoft typically pushes certified s/w releases only and after Poly releases them

Copper Contributor

@Adam JacobsThanks, is there a typical time between Poly's release and Microsoft's certified push?  Best practice - automatic updates on phone or manual updates?  I haven't seen any issues with firmware updates in the past, but not sure if testing is more appropriate in this situation.

Iron Contributor

@myry1 Once the required update is available then it will likely be posted to the device update service quicker than in the past given the potential impact.

 

That being said, Microsoft has ceased their device qualification program for Skype for Business Online, so any new firmware updates beyond this change will be certified, and likely the Device Update services online will continue to push the current versions until SfBO retirement in July 2021.  (An exception would be if one of those releases was found to have a critical security flaw in the future and would need to be replaced with a patched version, but even then it's quite possible that Microsoft just decides to disable the update service in general.  In short, it's always recommended to manage device updates in a different manner and disable the in-band update process as Adam mentioned earlier.)

 

Newer releases may still be able to qualify for Skype for Business Server, but Microsoft does not manage those updates, the customer does in their own deployment.

Copper Contributor
@Diana_Vank Microsoft is indicating that all phones must be updated by January 15, 2020 to support OAuth. The release notes for Polycom UC software 5.9.4 indicates support for OAuth, but it seems that version is not on the approved list for Skype For Business Online implementations. Customers in Skype for Business deployments should only use software releases that have been qualified by Microsoft or the maintenance releases built on a qualified release. The current version which is qualified by Microsoft is 5.9.0.9373. When will Microsoft qualify the release version 5.9.4? both the below URL's from Poly and also Microsoft suggests us to stay in 5.9.0. Please advice! https://support.polycom.com/content/support/north-america/usa/en/support/voice/polycom-uc/polycom-uc... https://docs.microsoft.com/en-us/skypeforbusiness/certification/devices-ip-phones#conference-phones
Microsoft

@Vinay N V all Poly 5.9.x builds are currently certified for SFB. The listing on docs.microsoft.com implies that any version greater than the certified build listed is also certified. 

Co-Authors
Version history
Last update:
‎Jun 07 2021 10:59 AM
Updated by: