UPDATE: The can has been kicked down the road. You now have till January 2020.
On Thursday of last week, Microsoft dropped a post on the Tech Communities page with pretty much no context. Here is the announcment:
“To provide our customers with best-in-class security across our services, Microsoft is implementing the use of Microsoft Identity Platform 2.0 (an evolution of the Azure Active Directory identity service) which uses the OAuth 2.0 authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user, through a third-party application ID.
Effective immediately, Microsoft requires all IP Phone partners with Skype for Business certified IP Phones to use Azure AD tenant specific third-party application ID.
As result of this change, Skype for Business IP Phone partners have made a code change to use partner specific application ID. When deployed, the customer tenant admin will be required to confirm consent to allow the third-party phone application to be granted the necessary permissions (the same permissions currently being used by Skype for Business IP Phones).“
Anytime you have the words – effective immediately – in a blog post about a customers enterprise environment that will get some people’s attention. So what is happening under the hood is that each phone provider now has to use their own App ID for approval into your O365 environment. Today, Microsoft gave an internal App ID to phone vendors to embed in their 3PIP phones so they could get access to services. The users of course had to still supply username/password but it was hiding under there.
So now each vendor will have it’s own App ID.
And when you click on the link, then you approve that vendors App ID into your O365 tenant. Tom has some cool screen shots of this along with a few FAQ’s on it. One thing I wanted to add to the list is a table because I think it’s easier to understand what I need to do.
Deployment Type | User Homed | Impact Statement |
Teams / SfB 3PIP phones using Cloud Interop Gateway | Online | All phones must be updated by July 1st and tenant admins must have approved phone partners App ID |
SfB Online | Online | All phones must be updated by July 1st and tenant admins must have approved phone partners App ID |
SfB On-Premises with Modern Auth Enabled | Online or On-Premises | All phones must be updated by July 1st and tenant admins must have approved phone partners App ID |
SfB On-Premises WITHOUT Modern Auth Enabled | Online | All phones must be updated by July 1st and tenant admins must have approved phone partners App ID |
SfB On-Premises WITHOUT Modern Auth Enabled | On-Premises | No Impact |
SfB No Hybrid | On-Premises | No Impact |
IP Phone vendors are working hard to get firmware updated that will allow their phones to play nice with this new security model.