Jun 02 2017 05:18 AM
Hi Folks, just wanted to check if anyone has experienced problems with using O365 on SurfaceHubs whilst having Conditional Access in place? We are using O365 and Enterprise Mobility + Security suite, and various policies in place which require a form of compliance and Domain/Workplace join...
However, we've set-up the SurfaceHub with device account which is licensed for Skype for Business (Plan 2) and using Domain security groups for access to Settings, etc so it's recognised by the Domain Services. But when going into O365, we get 'you can't get there from here' ERROR message. We've an open ticket with Microsoft Premier Support but if anyone has any insights, it'd be greatly appreciated!
Aug 29 2017 07:38 AM
Hi Anthony,
I have this exact same issue. Exchange Online protected with Intune conditional access, which seems to prevent anyone using the Office 365 welcome screen sign-in. Surface Hub is domain joined (local AD not Azure AD).
Rasied this issue with premier support over 2 months ago has been passed over the the elusive 'product group'. Zero response so far.
Did you manage to get this working at all or are you still waiting on a resolution from Microsfot also?
Thanks
Arian
May 03 2018 08:28 AM
We are having exactly the same issue.
We learned that the only way to get it to work is exclude the IP-address from requiring to use a compliant device.
We have multiple of these devices so I tried multiple scenario's.
Our environment is having an on premise AD synced with ADConnect towards O365.
Exchange & Skype running in the cloud.
Conditional access enabled via Intune.
On premise ADFS used for authentication of federated accounts.
What worked:
-Join the Surface HUB in the on premise AD and assign the proper licenses to the account (synced with ADconnect)
-Join the Surface HUB in Azure AD only with an unfederated account and also assign the licenses.
The device logs on and show up in Skype in both scenario's.
Logging as user (show my meeting/files) doesn't work -> you get the mentioned error message.
Excluding the device via it's IPaddress in CA and then everything works (for both join types).
I'm looking how to make the device trusted (Compliant) however in Intune so we don't have to go the IP-exclusion route, as IP-exclusion scenario's look very outdated and don't work in our case using a cloud based proxy in between with dynamic addressing.
Cheers,
Frank
May 03 2018 10:53 AM
So I finally got some awesome, terrible news on this matter this week. The Surface Hubs, when connected to AD DS, and using Intune for Device Compliance, or even the Hybrid-Azure AD Joined CA requirement, will show as not compliant for everyone except the account that is joined as the MDM account. The support team told me that the Surface Hubs are built on RS2 of Windows 10, and the only way those devices will be shown as compliant in a CA policy, consistently, is to Azure AD join them. The problem we have, well the main concern out of the 10+ reasons not to do this for us, is that now we have to look at opening the up the Azure AD Device Administrators Role, for a handful of these devices. Terrible solution.
May 03 2018 11:32 PM
With the latest update of Intune (April 23th) it looks like the Surface Hub is now supported for conditional access, but exact details are not clear to me (yet):
https://docs.microsoft.com/en-us/intune/whats-new#support-for-user-less-devices-
Apr 26 2021 11:48 PM
Apr 29 2021 12:40 PM
@AusSupport180 These have been addressed with the latest 20H2 updates.