Very sub optimal application sign in experience with new Surface Hub 2s

%3CLINGO-SUB%20id%3D%22lingo-sub-838503%22%20slang%3D%22en-US%22%3EVery%20sub%20optimal%20application%20sign%20in%20experience%20with%20new%20Surface%20Hub%202s%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-838503%22%20slang%3D%22en-US%22%3E%3CP%3EI%20do%20understand%20that%20Surface%20Hub%202s%20does%20have%20a%20devce%20account%20that%20logs%20in%20automatically%2C%20so%20that%20we%20cannot%20have%20single%20sign%20on.%20I'm%20ok%20with%20that.%20But%20currently%20when%20trying%20to%20access%20a%20OneDrive%20file%2C%20I%20have%20to%20sign%20in%20multiple%20times.%3C%2FP%3E%3CP%3EWhile%20signing%20in%2C%20the%20first%20text%20box%20does%20look%20up%20and%20find%20my%20account%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20689px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F130206iD75B03070CF40077%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22IMG_20190905_101622.jpg%22%20title%3D%22IMG_20190905_101622.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Ebut%20when%20I%20try%20to%20continue%2C%20the%20sign%20in%20dialog%20simply%20disappears.%20Only%20when%20I%20ignore%20the%20first%20textbox%2C%20select%20%22work%20account%22%2C%20click%20on%20%22next%22%20with%20an%20empty%20textbox%2C%20and%20then%20type%20in%20my%20email%20address%20into%20the%20next%20dialog%2C%20which%20does%20not%20suggests%20accounts%20from%20my%20company%2C%20I%20can%20authenticate%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20689px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F130207i9536D220C191794F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22IMG_20190905_101657.jpg%22%20title%3D%22IMG_20190905_101657.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EMy%20expectation%20would%20be%20that%20the%20first%20sign%20in%20dialog%20could%20handle%20the%20sign%20in%20process.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20problem%3A%20I%20have%20activated%20the%20simplified%20sign%20in%20using%20my%20authenticator%20app%2C%20but%20after%20typing%20my%20email%20address%2C%20the%20on-screen-keyboard%20stays%20on%20the%20screen%20and%20covers%20the%20number%20that%20should%20be%20selected%20on%20the%20phone%20authenticator%20app%20-%20I%20need%20to%20manually%20move%20the%20on-screen-keyboard%20to%20see%20the%20number%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20793px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F130208iB93C505A299C8C84%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22IMG_20190905_101914.jpg%22%20title%3D%22IMG_20190905_101914.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20configuration%20I%20need%20to%20change%20to%20have%20the%20first%20sign%20in%20dialog%20running%20well%20and%20the%20on-screen-keyboard%20disappear%20when%20the%20number%20is%20shown%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-858387%22%20slang%3D%22en-US%22%3ERe%3A%20Very%20sub%20optimal%20application%20sign%20in%20experience%20with%20new%20Surface%20Hub%202s%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-858387%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F39435%22%20target%3D%22_blank%22%3E%40Sven%20Erik%20Matzen%3C%2FA%3E%26nbsp%3Bwe%20have%20the%20same%20issue%20with%20the%20sign%20in.%20Have%20you%20managed%20to%20fix%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-858428%22%20slang%3D%22en-US%22%3ERe%3A%20Very%20sub%20optimal%20application%20sign%20in%20experience%20with%20new%20Surface%20Hub%202s%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-858428%22%20slang%3D%22en-US%22%3ENo%2C%20unfortunately%20we%20have%20to%20live%20with%20that%20behaviour.%20It's%20one%20of%20the%20big%20ux%20faults.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-858430%22%20slang%3D%22en-US%22%3ERe%3A%20Very%20sub%20optimal%20application%20sign%20in%20experience%20with%20new%20Surface%20Hub%202s%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-858430%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F39435%22%20target%3D%22_blank%22%3E%40Sven%20Erik%20Matzen%3C%2FA%3E%2C%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F410114%22%20target%3D%22_blank%22%3E%40ThomasH1984%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESingle%20Sign-On%20currently%20doesn't%20work%20when%20the%20device%20is%20Azure%20AD%20joined.%20We%20are%20aware%20of%20this%20limitation.%20However%2C%20this%20only%20affects%20the%20personal%20user%2C%20not%20the%20device%20account.%20The%20device%20account%20should%20be%20able%20to%20sign-in%20regardless.%3C%2FP%3E%0A%3CP%3EAs%20for%20the%20personal%20sign-in%2C%20make%20sure%20that%20your%20account%20has%20the%20same%20UPN%20and%20SMTP%20which%20is%20a%20requirement%20for%20EasyAuth%20(the%20dropdown%20suggestions%20in%20the%20first%20window).%20If%20you%20have%20UPN%20%2F%20SMTP%20mismatch%2C%20the%20you%20will%20need%20to%20select%20the%20Work%20Account%20option.%3C%2FP%3E%0A%3CP%3EIn%20regards%20to%20the%20on-screen%20keyboard%2C%20I%20will%20make%20some%20tests%20and%20report%20this%20to%20the%20Product%20Group%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%2C%3C%2FP%3E%0A%3CP%3ECezar%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-867651%22%20slang%3D%22en-US%22%3ERe%3A%20Very%20sub%20optimal%20application%20sign%20in%20experience%20with%20new%20Surface%20Hub%202s%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-867651%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F39435%22%20target%3D%22_blank%22%3E%40Sven%20Erik%20Matzen%3C%2FA%3E%26nbsp%3BI%20ended%20up%20resetting%20our%20Hubs%20to%20use%20a%20local%20administrator%20account%20instead%20of%20joining%20to%20the%20Azure%20domain%20just%20to%20get%20around%20that%20problem.%20I'm%20still%20able%20to%20use%20MDM%20from%20our%20365%20License.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-924724%22%20slang%3D%22en-US%22%3ERe%3A%20Very%20sub%20optimal%20application%20sign%20in%20experience%20with%20new%20Surface%20Hub%202s%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-924724%22%20slang%3D%22en-US%22%3E%3CP%3EAdding%20a%20%22Me%20too%22%20to%20this%20thread.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20finding%20this%20same%20behavior%20on%20three%20Surface%20Hubs%20which%20we%20recently%20joined%20to%20Azure%20AD%2C%20with%20more%20planned.%20Entering%20anything%20into%20the%20first%20username%20field%20causes%20the%20next%20dialog%20to%20flash%20for%20a%20moment%2C%20then%20disappear.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F230414%22%20target%3D%22_blank%22%3E%40Cezar%20Cretu%3C%2FA%3E%2C%20all%20of%20our%20UPNs%20have%20a%20matching%20SMTP%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20is%20a%20%22known%20issue%22%2C%20could%20someone%20point%20me%20to%20where%20this%20has%20been%20shared%20by%20Microsoft%3F%20It%20would%20have%20been%20helpful%20if%20there%20were%20a%20note%20near%20the%20documentation%20I%20followed%20to%20join%20the%20Surface%20Hubs%20to%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20to%20the%20workaround%20of%20using%20a%20local%20account.%20Is%20there%20a%20reason%20to%20use%20a%20local%20account%2C%20over%20On-Prem%20Active%20Directory%3F%20What%20are%20the%20implications%20of%20either%2C%20over%20joining%20Azure%20AD%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-926391%22%20slang%3D%22en-US%22%3ERe%3A%20Very%20sub%20optimal%20application%20sign%20in%20experience%20with%20new%20Surface%20Hub%202s%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-926391%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F225368%22%20target%3D%22_blank%22%3E%40Nathan%20Hartley%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%202%20separate%20issues.%20The%20Easy%20Auth%20feature%20where%20you%20need%20to%20have%20the%20same%20UPN%20and%20SMTP%20and%20the%20SSO%20part%20which%20is%20not%20supported%20when%20the%20device%20is%20AAD%20joined.%3C%2FP%3E%0A%3CP%3EThis%20is%20documented%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsurface-hub%2Ffirst-run-program-surface-hub%23what-happens-9%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsurface-hub%2Fknown-issues-and-additional-info-about-surface-hub%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%22If%20you%20join%20Surface%20Hub%20to%20Azure%20AD%20during%20first-run%20setup%2C%20single%20sign-on%20(SSO)%20for%20Office%20apps%20will%20not%20work%20properly.%20Users%20will%20have%20to%20sign%20in%20to%20each%20Office%20app%20individually.%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%22Single%20sign-in%20when%20Azure%20AD%20joined%20%3CBR%20%2F%3ESurface%20Hub%20was%20designed%20for%20communal%20spaces%2C%20which%20impacts%20the%20way%20user%20credentials%20are%20stored.%20Because%20of%20this%2C%20there%20are%20currently%20limitations%20in%20how%20single%20sign-in%20works%20when%20devices%20are%20Azure%20AD%20joined.%20Microsoft%20is%20aware%20of%20this%20limitation%20and%20is%20actively%20investigating%20options%20for%20a%20resolution.%22%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I do understand that Surface Hub 2s does have a devce account that logs in automatically, so that we cannot have single sign on. I'm ok with that. But currently when trying to access a OneDrive file, I have to sign in multiple times.

While signing in, the first text box does look up and find my account:

IMG_20190905_101622.jpg

but when I try to continue, the sign in dialog simply disappears. Only when I ignore the first textbox, select "work account", click on "next" with an empty textbox, and then type in my email address into the next dialog, which does not suggests accounts from my company, I can authenticate:

IMG_20190905_101657.jpg

My expectation would be that the first sign in dialog could handle the sign in process.

 

Another problem: I have activated the simplified sign in using my authenticator app, but after typing my email address, the on-screen-keyboard stays on the screen and covers the number that should be selected on the phone authenticator app - I need to manually move the on-screen-keyboard to see the number:

IMG_20190905_101914.jpg

 

Is there any configuration I need to change to have the first sign in dialog running well and the on-screen-keyboard disappear when the number is shown?

6 Replies

@Sven Erik Matzen we have the same issue with the sign in. Have you managed to fix it?

No, unfortunately we have to live with that behaviour. It's one of the big ux faults.

Hello @Sven Erik Matzen, and @ThomasH1984 

 

Single Sign-On currently doesn't work when the device is Azure AD joined. We are aware of this limitation. However, this only affects the personal user, not the device account. The device account should be able to sign-in regardless.

As for the personal sign-in, make sure that your account has the same UPN and SMTP which is a requirement for EasyAuth (the dropdown suggestions in the first window). If you have UPN / SMTP mismatch, the you will need to select the Work Account option.

In regards to the on-screen keyboard, I will make some tests and report this to the Product Group

 

Thank you,

Cezar

@Sven Erik Matzen I ended up resetting our Hubs to use a local administrator account instead of joining to the Azure domain just to get around that problem. I'm still able to use MDM from our 365 License.

Adding a "Me too" to this thread.

 

We are finding this same behavior on three Surface Hubs which we recently joined to Azure AD, with more planned. Entering anything into the first username field causes the next dialog to flash for a moment, then disappear. @Cezar Cretu, all of our UPNs have a matching SMTP address.

 

If this is a "known issue", could someone point me to where this has been shared by Microsoft? It would have been helpful if there were a note near the documentation I followed to join the Surface Hubs to Azure AD.

 

As to the workaround of using a local account. Is there a reason to use a local account, over On-Prem Active Directory? What are the implications of either, over joining Azure AD?

 

Thanks.

@Nathan Hartley,

 

There are 2 separate issues. The Easy Auth feature where you need to have the same UPN and SMTP and the SSO part which is not supported when the device is AAD joined.

This is documented here and here.

 

"If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually."

 

"Single sign-in when Azure AD joined
Surface Hub was designed for communal spaces, which impacts the way user credentials are stored. Because of this, there are currently limitations in how single sign-in works when devices are Azure AD joined. Microsoft is aware of this limitation and is actively investigating options for a resolution."