Sep 05 2019 04:03 AM
I do understand that Surface Hub 2s does have a devce account that logs in automatically, so that we cannot have single sign on. I'm ok with that. But currently when trying to access a OneDrive file, I have to sign in multiple times.
While signing in, the first text box does look up and find my account:
but when I try to continue, the sign in dialog simply disappears. Only when I ignore the first textbox, select "work account", click on "next" with an empty textbox, and then type in my email address into the next dialog, which does not suggests accounts from my company, I can authenticate:
My expectation would be that the first sign in dialog could handle the sign in process.
Another problem: I have activated the simplified sign in using my authenticator app, but after typing my email address, the on-screen-keyboard stays on the screen and covers the number that should be selected on the phone authenticator app - I need to manually move the on-screen-keyboard to see the number:
Is there any configuration I need to change to have the first sign in dialog running well and the on-screen-keyboard disappear when the number is shown?
Sep 17 2019 02:20 AM
@Sven Erik Matzen we have the same issue with the sign in. Have you managed to fix it?
Sep 17 2019 03:01 AM
Sep 17 2019 03:05 AM
Hello @Sven Erik Matzen, and @ThomasH1984
Single Sign-On currently doesn't work when the device is Azure AD joined. We are aware of this limitation. However, this only affects the personal user, not the device account. The device account should be able to sign-in regardless.
As for the personal sign-in, make sure that your account has the same UPN and SMTP which is a requirement for EasyAuth (the dropdown suggestions in the first window). If you have UPN / SMTP mismatch, the you will need to select the Work Account option.
In regards to the on-screen keyboard, I will make some tests and report this to the Product Group
Thank you,
Cezar
Sep 20 2019 10:43 AM
@Sven Erik Matzen I ended up resetting our Hubs to use a local administrator account instead of joining to the Azure domain just to get around that problem. I'm still able to use MDM from our 365 License.
Oct 21 2019 02:02 PM
Adding a "Me too" to this thread.
We are finding this same behavior on three Surface Hubs which we recently joined to Azure AD, with more planned. Entering anything into the first username field causes the next dialog to flash for a moment, then disappear. @cezarcretu, all of our UPNs have a matching SMTP address.
If this is a "known issue", could someone point me to where this has been shared by Microsoft? It would have been helpful if there were a note near the documentation I followed to join the Surface Hubs to Azure AD.
As to the workaround of using a local account. Is there a reason to use a local account, over On-Prem Active Directory? What are the implications of either, over joining Azure AD?
Thanks.
Oct 22 2019 01:19 AM
There are 2 separate issues. The Easy Auth feature where you need to have the same UPN and SMTP and the SSO part which is not supported when the device is AAD joined.
This is documented here and here.
"If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually."
"Single sign-in when Azure AD joined
Surface Hub was designed for communal spaces, which impacts the way user credentials are stored. Because of this, there are currently limitations in how single sign-in works when devices are Azure AD joined. Microsoft is aware of this limitation and is actively investigating options for a resolution."