OAuth 2.0 and third-party application ID: Timeline extended to June 30, 2022!
Published Apr 25 2019 10:40 AM 92K Views
Microsoft

New implementation timeline: June 30, 2022

 

To provide our customers with best-in-class security across our services, Microsoft is implementing the use of Microsoft Identity Platform 2.0 (an evolution of the Azure Active Directory identity service) which uses the OAuth 2.0 authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user, through a third-party application ID.

 

This change only impacts Skype for Business IP Phones certified under 3PIP program.

 

Deployment Type

Impact Statement

Skype for Business Online

All phones must be updated and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (With Modern Auth Deployed)

All phones must be updated and tenant admins must have approved phone partners App ID using the consent URL

Skype for Business On-Premises Hybrid (No Modern Auth)

No Impact

Skype for Business On-Premises No Hybrid

No Impact

 

As result of this change, Skype for Business IP Phone partners have made a code change to embed the partner specific application ID in their firmware. The customer tenant admin will be required to confirm consent to allow the third-party phone application to be granted the necessary permissions (the same permissions currently being used by Skype for Business IP Phones).

 

consent permissions.png

 

Skype for Business IP Phone partners will provide customers with a partner specific consent URL. Customer admin will need to perform a one time, tenant wide (all users), consent per IP Phone partner (i.e. one consent URL for Yealink, one consent URL for Crestron, etc.)

 

Microsoft IP Phone partners will post additional information via their own communication channels, including the firmware version that includes the necessary changes.

 

This change requires customers to perform a 2 step process:

Step 1: Accept permissions request using the consent URL (can be done at any time)

Step 2: Upgrade all impacted phones to the firmware version communicated by the Microsoft IP Phone partners

 

All certified Skype for Business IP phones must be updated by July 15th, 2020 (originally January 15th, 2020). Without the update, successful authentication to Microsoft services on IP Phones will fail. Specifically, signing to the device via web or using a user name/password on the phone will fail. Customers are encouraged to work with their certified Skype for Business IP Phone provider to make the update before the deadline.

134 Comments
Copper Contributor

@Vinay N Vas indicated by @Diana_Vank and the release notes you can use any maintenance release built on top of the 5.9.0 version, e.g. 5.9.4. Poly is working to reword the notes on the link provided and make it more clear.

 

Hi Folks - Group Series, Trio and VVX builds are now released:

 

Device name Software Version Timeline Download
VVX Phones 5.9.4.3247 Late-Sept URL
Poly Trio 5.9.1.10419 Late-Sept URL
Group Series 6.2.1.1 Mid-June URL
Copper Contributor

Hi Adam

 

To confirm the links you provided take us to the latest Polycom UC software Release, however when you go to the latest UC Software for Skype for Business Deployments the latest is 5.9.0.9373. The version you are referring to is just on the Poly latest side.

 

Can you please confirm that 5.9.4.3247 is supported by MS and indeed is the resolution for OAuth 2.0?

 

Thanks

Larry

 

 

Hi @Larry Thomas we're in the process of updating this page, whereby 5.9.4.3247 will be supported for Microsoft customers.

Copper Contributor

Thank you for the clarification

 

Larry

Copper Contributor

Hi

 

So I am currently testing the new firmware in our organization. We use MFA for all our users. I have accepted the consent URL for online device registration, and it shows as such in going into the Azure portal. I am having the following issue and just wanted some clarification.

 

All our users use the BToE software, and login into their phone using the user credential method. Since going to 5.9.4.3247 all users get the following message on their VVX --- "Not able to connect to Calendar data  & other exchange services ……"

 

The only way I am able to resolve this error is to have the user sign in using the web sign-in method.

 

Going forward, am I correct in that this new firmware does not support the user credential method and all will have to use web sign-in? I was of the understanding that accepting the online device registration for our tenant this would not be the case.

 

Thanks

Larry

 

Copper Contributor
Hi, I have just tried to upgrade our VVX phones to 5.9.4.3247. However, once they have been upgraded they reboot and revert back to 5.9.0.9373. I remember this happening in the past when I tried to upgrade the firmware and I raised this with Microsoft and they said that the Skype Online server reverts the phones back as that is the latest supported version. It seems Microsoft are yet to approve this software update. When will this be done so that I can update to the latest version without it being downgraded automatically? I don't want to go through the steps of setting up my own provisioning server etc. Thanks, Richard

Hi @Larry Thomas 

 

First ensure you're using the latest version of our BToE software - 4.1.0.0 is posted here

 

Second, there's a known issue in relation to calendaring, for folks using Exchange 2013 on-premises with HMA (refer to release notes), we're working with Microsoft on this. 

 

Third, we updated the consent URL some time back as some Exchange scopes needed to be added per Microsoft's recommendation. If you performed the consent some time ago this may be the issue. The most recent consent URL is here

 

Let me know how you get on!

 

- Adam

Copper Contributor

Hi Adam

 

Appreciate you getting back

 

To answer your questions

 

I have tried the newest BToE (we also have a few people who don't use the BToE) and have logged into the phone from the Web UI and they have same issue - so can't be a BToE issue

 

We are 100% online for Exchange

 

I retried the consent yesterday and then again this morning from your comments.

 

After all the above -- same issue

 

Any further thoughts?

@Larry Thomas I've DM'd you, let's take offline

Copper Contributor

Hi all,

 

We are also preparing for this change within our company.  We performed the consent (it's visible in the Azure Enterprise applications) and after that we've installed the required software upgrades on some test Poly devices (Poly VVX301, VVX601 and Trio8800).

We can't find back the authentication in Azure or find a way in confirmation that these devices are fine now for the change that will take place on January 15th.

Where can we get confirmation?

Secondly, is the target date still January 15th 2020?

 

Thanks in advance for any feedback.

Iron Contributor

You can find the application in your tenant by going to the Enterprise Applications section of the Azure AD admin center:

https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/

 

Clipboard01.jpg

(Edit: oops, I had the wrong app highlighted before.  This is the correct app for phone authentication among the various Poly apps.)

Copper Contributor

Hi @JeffBI can't find the application that you have highlighted on your screenshot.  After we performed the consent the only Polycom applications I can see in our tenant are as follows:

Tenant.png

 Did we miss something?

 

Thanks in advance for your feedback!

@Hmerckx that's the one. You can search for our App ID also, which is: a850aaae-d5a5-4e82-877c-ce54ff916282

Copper Contributor

@Adam Jacobs 

How can we get confirmation that our Polycom devices are fine now for the change that will take place on January 15th?

Where can we see confirmation that the accounts/Polycom devices authenticate the right wat?

Secondly, is the target date still January 15th 2020?

 

Thanks in advance for your feedback!

@Hmerckx  There are two requirements:

 

  1. Perform the consent. Once completed this will show up within your Office 365 tenant (within Azure AD applications) - you showed this in your earlier thread
  2. Ensure you Poly endpoints are updated with the right f/w level that supported the 3rd party app ID. Firmware versions are published here

 

The date has not changed 

Copper Contributor

@Adam Jacobs Thanks, I got that.

But is there a way to check upfront Jan 15th 2020 of it will work? We know the consent/application is ok, we also know the  software is ok ... but can we test it upfront?

 

Thanks in advance!

@Hmerckx yes, as soon as you upgrade to the builds I shared previously the new 3rd part app will be used. The Jan 2020 date is just when the 1st party Microsoft app gets turned off.

Copper Contributor

@Adam Jacobs  Is there a way to check in Azure if the account/device uses that 3th party app? I’m just looking for that black on white prove.

@Hmerckx not that I'm aware of, you could review device logs. But as soon as you upgrade to the 3rd party app device f/w this is enforced.

Copper Contributor

Hi @Adam Jacobs  do you have a screenshot example of what we should see in de device logs in order to be sure things are working the way they should?  We just wan't to avoid a big surprise on January 15th 2020.

Another question about these software upgrades.  The table you have with the versions, ... any newer versions than the one in your table, will they also do what's needed?  Or can it be, for now, only be that specific versions?

Copper Contributor

On another note we are facing some other issue as well when we are performing the software upgrade on the Polycom VVX601.  

- Upgrade from version 5.9.0.9373 to version 5.9.4.3247 worked fine ... but after a while the Polycom device showed a message that there was a device update available.  When I checked the details of that device update I can see that it wants to downgrade again to the older version 5.9.0.9373.  If I ignore that message to update it will automatically reboot and downgrade after a few minutes.

See below screenshots:

DeviceUpdateAvailable.jpg

 

UpdateAvailableVersion.jpg

 Why is it doing this?  And how can we prevent this from happening?

Iron Contributor

@Hmerckx What Adam is saying is that there is no need to 'validate anything' as the phone will not successfully authenticate if the app was not approved. 

 

This is how it works:

Starting with the 5.9.4.3247 release the VVX can only authenticate to Skype for Business Online using the app model.  Sign-in will simply not work unless the Poly app has been manually approved by an administrator for the tenant where the user account is homed that is attempting to sign-in to the phone.

 

Once the app has been approved in the tenant (which you have done) then all VVX phones running 5.9.4.3247 will successfully sign-in.  They cannot use the older user authetnication method regardless of the app's status, so there is nothing to confirm in any logs.  If a VVX running 5.9.4.3247 or newer succesfully signs-in, then it's using the new app model and will continue to work that way from that release though all future releases.

Regarding the firmware version issue, it is recommended to disable Device Updates in your Office 365 tenant for this reason:

http://blog.schertz.name/2016/07/device-updates-with-skype-for-business-online/

 

Microsoft typically does not update the published version for most minor updates, and when they are it historically takes a long time.  I expect this version will be posted to the updates services at eventually though as it'll be required before long.  But for now you'll want to disable the updates to prevent the phones from rolling back automatically.

Copper Contributor
@Jeff_Schertz Surely Microsoft need to publish the 5.9.4.3247 firmware sooner rather than later if they want to push forward with these changes otherwise there will be a lot of tenants that get stuck when they switch off the older authorization versions. I would prefer to keep the Skype online updates active so I know our phones are running the latest certified builds without having to go into each phone individually to update it or set up our own provisioning server.
Copper Contributor

@Jeff Schertz: I fully agree with @ElectroRich I would like to leave the update process enabled. How can we push Microsoft ahead with providing the last version on their servers?

 

This is an absolute need, especially if the date of Jan 15, 2020 stays.. (Update Polycom devices, required for 'Microsoft Online Device Registration updates, MC178633)

Brass Contributor
@Jeff Schertz and @Adam Jacobs: This might be a fairly dumb question, but we've started updating our Polycom Trio 8800's to use the Microsoft Teams base profile. Will we need to update to the 5.9.1.10419 firmware version before Jan 2020? We're currently at 5.9.0.11398. Bonus question: Updating the Polycom Trio firmware is fairly easy, but how do we update the Microsoft Teams software version? We're noticing some Trio's going "Offline" in the TAC -> Devices section and rebooting them seems to set them to "Online". I was thinking some regular MS Teams software pushes might help the devices be more healthy? Thanks!
Iron Contributor

Agreed that Microsoft needs to push that firmware update to the device update services as soon as possible.  I'm just stating that until that happens the only way to prevent rollback is by disabling updates.

This app is only applicable to registration to Skype for Business, not for Teams.  Using Teams profile on the Trio is native and not impacted by any of this.

 

The Teams application should automatically update itself when a newer version is available.

Brass Contributor

@Jeff_Schertz  awesome, this is the info I was looking for! Thanks for taking the time.

@phake regarding your bonus question, we've working with Microsoft on this. 

Brass Contributor

@Adam Jacobs  love it, thanks. :folded_hands:

Brass Contributor

@Adam Jacobs and @Jeff_Schertz we're testing out firmware 5.9.4.3247 and ran into some issues with EWS (Calendar, Contacts, etc)

 

Using: https://outlook.office365.com/EWS/Exchange.asmx for EWS

VVX 501, 5.9.2.3446 firmware, User Skype onprem, EXO homed = Success  
 
VVX 501, 5.9.4.3247 firmware, User Skype onprem, EXO homed = Failure 

VVX 501, 5.9.4.3247 firmware, User Skype Online (Teams only), EXO homed = Failure 

Any insight? Have you guys run into this? 
Brass Contributor

We're running into this in another office as well. Confirmed errors in another network environment.

 

2019-10-15_10-01-12.jpg2019-10-15_10-01-34.jpg

Brass Contributor

Looks like there's a 6.0.0.4839 and a 6.1.0.6189 but do we know if it has the 3rd party application ID baked in?

2019-10-15_10-20-05.jpg

@phake only 5.9.4.3247 has the new app ID baked in and is the latest recommended Microsoft firmware load. Please stay away from 6.x these are not Microsoft sanctioned releases.

 

Please re-perform the consent here

Brass Contributor

@Adam Jacobs- HA! That did it. Sigh, sorry. We must have jumped at the previous deep link URL months ago.

 

Works now. :)

 

EWS InformationEWS deployed
Emailbanff_room_booking@ehs.com
Configured Exchange URLhttps://outlook.office365.com/EWS/Exchange.asmx
EWS Internal URL 
EWS External URL 
Exchange CalendarSynchronized
Exchange Call logs 
Exchange VoicemailSynchronized
Exchange Outlook ContactsSynchronized
Server Missed Call StatusNot Available

@phake when we originally published the consent URL we (Poly and Microsoft) noticed some Exchange-related permission issues. So glad this fixed it. If anyone else here perform consent some time back, please also follow suit. Also (and as always), Poly's latest Microsoft releases are published on this page - bookmark it now! :smile:

Brass Contributor

@Adam Jacobs Thanks! You saved us some heartache.

Copper Contributor

Hi @Adam Jacobs , ... starting from when (date) the consent is the good one?

@Hmerckx I believe the updated consent URL was published in mid-June.

Copper Contributor

Hi @Adam Jacobs ... is the Group Series 500 software version 6.2.2-580140 complient for the new app ID?

@Hmerckx Group Series version 6.2.1.1 and higher introduces support for 3rd party app ID. So yes, confirmed.

Copper Contributor

I see Poly has put a new version of firmware for SFB deployments -- Latest Maintenance Release UCS 5.9.5.0614

 

In testing neither Web Sign In or User Credential method works. continuously tries authenticating and fails a fetching user certificate.

 

clipboard_image_0.png

Thanks @Larry Thomas I'll bring this to the attention of engineering team. Please do however continue to use official support channels! :)

Copper Contributor

Will do thanks Adam.

 

Can someone please confirm that if using MFA the only method which is supported is the Web Sign In method as is from the latest on MS web site?

 

 

clipboard_image_1.png

@Larry Thomas (and others) please refrain from using this newer build, it's not been approved for use within Skype for Business Online. Microsoft are in the process of adding this version to their CVC database. We're investigating why this build was published early to our Skype for Business download page.

Copper Contributor

Hello

 

We are experiencing the same as @Larry Thomas in regards to MFA. With new firmware 5.9.4.3247 we can no longer connect using the user credential method (BToE). Web Sign is the only method that works.

 

We have performed the consent and it does show in our Enterprise Applications in Azure as Polycom - Skype for Business Certified Phone

Are all users now required to sign in with the web sign in method? User credential no longer supported? Going to be a bit of a headache if we have to get all our users to change the login method

 

 

@O365Admin1799  User sign-in is supported also, I suspect there's something else in play here.

Copper Contributor

Good to know, thanks for answering as that is what I thought.

Reason I asked is I did open a ticket (SR# 1-14239375988) up with Polycom. The support specialist said he raised to the T3 VOIP department and he has confirmed that MFA is NOT supported with user credentials and that I have to use web sign in.

 

So you can see my confusion

Copper Contributor

@O365Admin1799. Have just received a definitive response that the only method of sign in that is supported for MFA enabled accounts is the web-sign in method. User credentials or BToE is NOT supported nor does it work. I Hope this saves you and any others the grief I went through in getting this answer.

Brass Contributor

So what happens when you have users hosted on prem, but still use Modern Auth/MFA?  Polycom phones just cease to work?

Co-Authors
Version history
Last update:
‎Jun 07 2021 10:59 AM
Updated by: