Update Your Phones (Soon!)

2019/04/30

On Thursday of last week, Microsoft dropped a post on the Tech Communities page with pretty much no context. Here is the announcment:

To provide our customers with best-in-class security across our services, Microsoft is implementing the use of Microsoft Identity Platform 2.0 (an evolution of the Azure Active Directory identity service) which uses the OAuth 2.0 authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user, through a third-party application ID.

Effective immediately, Microsoft requires all IP Phone partners with Skype for Business certified IP Phones to use Azure AD tenant specific third-party application ID.

As result of this change, Skype for Business IP Phone partners have made a code change to use partner specific application ID. When deployed, the customer tenant admin will be required to confirm consent to allow the third-party phone application to be granted the necessary permissions (the same permissions currently being used by Skype for Business IP Phones).

Anytime you have the words – effective immediately – in a blog post about a customers enterprise environment that will get some people’s attention. So what is happening under the hood is that each phone provider now has to use their own App ID for approval into your O365 environment. Today, Microsoft gave an internal App ID to phone vendors to embed in their 3PIP phones so they could get access to services. The users of course had to still supply username/password but it was hiding under there.

So now each vendor will have it’s own App ID.

And when you click on the link, then you approve that vendors App ID into your O365 tenant. Tom has some cool screen shots of this along with a few FAQ’s on it. One thing I wanted to add to the list is a table because I think it’s easier to understand what I need to do.

Deployment Type User Homed Impact Statement
Teams / SfB 3PIP phones using Cloud Interop Gateway Online
All phones must be updated by July 1st and tenant admins must have approved phone partners App ID
SfB Online Online
All phones must be updated by July 1st and tenant admins must have approved phone partners App ID
SfB On-Premises with Modern Auth Enabled Online or On-Premises
All phones must be updated by July 1st and tenant admins must have approved phone partners App ID
SfB On-Premises WITHOUT Modern Auth Enabled Online
All phones must be updated by July 1st and tenant admins must have approved phone partners App ID

SfB On-Premises WITHOUT Modern Auth Enabled
On-Premises No Impact
SfB No Hybrid On-Premises No Impact

IP Phone vendors are working hard to get firmware updated that will allow their phones to play nice with this new security model.

Post Directory