Jan 11 2020 12:44 AM
Hi We have been the surface hub 2 with Microsoft Teams for 2 months and it can't load the MS Teams suddenly in the afternoon. Thought there is files corruption after using it a day ago. Therefore, had done the factory reset and still unable to resolves the issues. Unable to find much resources online pertaining to this problem. The MS teams screen just show as blank black screen (sames for after click join the meeting, or launched the apps manually). By the way we are using local AD and sync with Azure AD. Any suggestion on how to resolve this as we are going to used in Tuesday.
Thanks.
Jan 11 2020 01:00 AM
By the way, Using the the Hub Edge application and able to login the MS team and join the meeting with no issues. Therefore, I don't think it is the account issues.
Jan 12 2020 10:02 AM
Same issue here on a new Hub 2 that was set up for the first time yesterday.
Jan 13 2020 01:27 AM
Jan 13 2020 02:53 AM
This is an outage and investigations are under way. The issue affects all newly deployed devices and new installations (factory reset). Please accept my apologies for the matter and hold on while we work on resolving this.
Thank you,
Cezar Cretu
Jan 13 2020 07:18 AM
@Cezar Cretu Please keep us updated on this matter as to resolution and steps required.
Jan 13 2020 09:58 PM
@Cezar Cretu , i'm also waiting for a status update from you ;)
Jan 14 2020 01:10 AM
Hello everyone,
Issue has been mitigated. Please test and confirm
Thank you,
Cezar
Jan 14 2020 01:23 AM
Jan 14 2020 02:10 AM
Jan 14 2020 02:59 AM
This issue is now confirmed as resolved. Your issue might be related to something else like conditional access, account configuration, network and so on. I suggest opening a case if you are still having issues
Thank you
Cezar
Jan 14 2020 07:54 AM
Jan 15 2020 01:49 AM
Hello @alankinane485,
It's true, MFA is not supported on the Surface Hub as it will require a human to approve the authentication. Unfortunately I don;t have a solution for you at this point if you are required to have MFA enabled to all accounts. However, this is already under our radar and PG is looking for a solution. No ETA at this point
Thank you,
Cezar
Jan 15 2020 02:00 PM
@alankinane485 Exclude device account from Conditional Access policies. Add corporate IP address to "old" MFA trust list. Set device account MFA to Enabled. Enrol device account to MFA on sign in from another PC so that the account changes to "Enforced".
Unless we're totally thinking about this the wrong way, we believe this fulfils the "MFA for all" even if MFA is bypassed for your corporate IP. Could also use an app password with "old" MFA but we haven't found this to be required.
Jan 16 2020 01:19 AM
Hello @Tristan Griffiths,
The problem with this method is that it will apply to all devices behind that public IP
Thanks
Cezar
Jan 16 2020 03:17 AM
@Tristan Griffiths Thanks for that. This will work I'm sure but I don't see how this gets around the MFA requirement. Can you explain your thoughts on this?
My understanding is that we are not allowed to exclude or bypass any accounts from MFA without exception - although perhaps Microsoft will clarify this in future. This method just uses the O365 MFA trusted IP address to bypass this CA excluded account. Is this any different to just using conditional access to bypass based on location for this user? It just seems like a different method for achieving the same thing to me.
@Cezar Cretu We still have a conditional access policy that will be enforced for any users who are not excluded so only this account is affected. The issue remains the Microsoft contractual obligation for MFA enforcement for all users.
Jan 19 2020 01:45 PM
@alankinane485 does achieve the same thing as CA trusted site bypass but with the ability to use app passwords. Haven't seen (or haven't read clearly enough... more likely) that trusted sites cannot be bypassed for regular users under the partner rule change? Got a link?
We shouldn't have to wait too much longer for Microsoft to pull their finger out and release modern auth for Surface Hubs and MTRs.
Jan 20 2020 02:11 AM
Hello @alankinane485
As I said, excluding the account based on location would still be an exclusion. Unfortunately at this point I don't have a solution for you. However, this limitation is known and under review by the Surface Hub team. Hopefully we will have a solution sortly
Thank you,
Cezar
Jan 27 2020 02:55 PM
@Cezar Cretu We see now the partner requirements changed somewhat. Don't know when. The way I read it now is MFA for all cloud services, from any device, at any location, no exceptions. So we're now stuck with Surface Hubs and Microsoft Teams Room systems. App passwords work for SfBO and EXO on an MTR, but not Teams.
I'm not the only one seeing the irony of Microsoft forcing partners to use modern authentication and recommending app vendors switch to the graph, while simultaneously not following their own recommendations?
Hell, even ConnectWise Manage has been updated to the graph and modern authentication (did ours over the long weekend).
Jan 28 2020 03:08 AM
@Tristan Griffiths , you are absolutely right and we are aware of the pain this causes. Currently the Surface Hub OS is not able to handle modern authentication but we are working hard on this. There is currently no ETA but this will be fixed soon.
Thank you,
Cezar