This is an outage and investigations are under way. The issue affects all newly deployed devices and new installations (factory reset). Please accept my apologies for the matter and hold on while we work on resolving this.

Thank you,

Cezar Cretu

@Cezar Cretu Please keep us updated on this matter as to resolution and steps required. 

@Cezar Cretu , i'm also waiting for a status update from you ;)

Hello everyone,

Issue has been mitigated. Please test and confirm

Thank you,

Cezar

Hi @alankinane485 

This issue is now confirmed as resolved. Your issue might be related to something else like conditional access, account configuration, network and so on. I suggest opening a case if you are still having issues

Thank you

Cezar

Hello @alankinane485,

It's true, MFA is not supported on the Surface Hub as it will require a human to approve the authentication. Unfortunately I don;t have a solution for you at this point if you are required to have MFA enabled to all accounts. However, this is already under our radar and PG is looking for a solution. No ETA at this point

Thank you,

Cezar

@alankinane485 Exclude device account from Conditional Access policies. Add corporate IP address to "old" MFA trust list. Set device account MFA to Enabled. Enrol device account to MFA on sign in from another PC so that the account changes to "Enforced".

Unless we're totally thinking about this the wrong way, we believe this fulfils the "MFA for all" even if MFA is bypassed for your corporate IP. Could also use an app password with "old" MFA but we haven't found this to be required.

Hello @Tristan Griffiths,

The problem with this method is that it will apply to all devices behind that public IP 

Thanks

Cezar

@Tristan Griffiths Thanks for that.  This will work I'm sure but I don't see how this gets around the MFA requirement.  Can you explain your thoughts on this?

My understanding is that we are not allowed to exclude or bypass any accounts from MFA without exception - although perhaps Microsoft will clarify this in future.  This method just uses the O365 MFA trusted IP address to bypass this CA excluded account.  Is this any different to just using conditional access to bypass based on location for this user?  It just seems like a different method for achieving the same thing to me.

@Cezar Cretu We still have a conditional access policy that will be enforced for any users who are not excluded so only this account is affected.  The issue remains the Microsoft contractual obligation for MFA enforcement for all users.  

@alankinane485 does achieve the same thing as CA trusted site bypass but with the ability to use app passwords. Haven't seen (or haven't read clearly enough... more likely) that trusted sites cannot be bypassed for regular users under the partner rule change? Got a link?

We shouldn't have to wait too much longer for Microsoft to pull their finger out and release modern auth for Surface Hubs and MTRs.

Hello @alankinane485 

As I said, excluding the account based on location would still be an exclusion. Unfortunately at this point I don't have a solution for you. However, this limitation is known and under review by the Surface Hub team. Hopefully we will have a solution sortly

Thank you,

Cezar

@Cezar Cretu We see now the partner requirements changed somewhat. Don't know when. The way I read it now is MFA for all cloud services, from any device, at any location, no exceptions. So we're now stuck with Surface Hubs and Microsoft Teams Room systems. App passwords work for SfBO and EXO on an MTR, but not Teams.

I'm not the only one seeing the irony of Microsoft forcing partners to use modern authentication and recommending app vendors switch to the graph, while simultaneously not following their own recommendations?

Hell, even ConnectWise Manage has been updated to the graph and modern authentication (did ours over the long weekend).

@Tristan Griffiths , you are absolutely right and we are aware of the pain this causes. Currently the Surface Hub OS is not able to handle modern authentication but we are working hard on this. There is currently no ETA but this will be fixed soon.

Thank you,

Cezar