Tom Talks Microsoft Teams and Microsoft 365 Collaboration news and opinions

All Skype for Business IP Phones must be firmware updated by January 15, 2020 to continue to sign into Office 365

15th May Update: The date has moved from July 1st 2019 to January 15, 2020.

If you have SfB Certified IP Phones (3PIP) from AudioCodes, Crestron, Polycom or Yealink signing into to Skype for Business Online (or Microsoft Teams via cloud interop), you will need to firmware update them and take one time tenant admin steps to approve each vendor’s phones sign in to your Office 365 tenant (once per vendor) or they will fail to sign in after January 15, 2020.

Today all certified phones used the same single Azure application ID, which is used as part the process for signing into Office 365. Microsoft is moving authentication a model where each 3rd party phone vendor will each have a unique vendor application ID.

Each vendor will issue updated firmware with their application ID embedded.

Each vendor “app ID” needs approval by a tenant admin before phones with that ID/from that vendor will be able to sign in to your tenant. This means the approval must be completed before you move to this updated firmware(s).

Approval Process

Approval involves clicking a link each vendor will provide:

I will list them on this blog as they become available. The URL grants the following permissions

These permissions are no different from what the phones have today.

Each vendor will be providing specific details of which firmware has their new application ID in, and the above approval process will need to be completed before phones with that firmware will be able to sign in so this process will need to be carefully managed/synchronised.

You can see the application ID as approved in Azure AD

Firmware Versions

I will list the firmware versions as they are released. Today no vendors have GA firmware with their own app ID.

Polycom firmware versions with target dates (via Adam Jacobs)

Device nameSoftware VersionTimeline
VVX Phones5.9.3Mid-May
Poly Trio5.9.0 Rev ABMid-May
Group Series6.2.1.1Mid-June

Yealink

SeriesModelVersion
T5X Desk Phone SeriesT58A55.9.0.13 and above
T56A
T55A
Conference PhoneCP96073.8.0.34 and above
T4XS Desk Phone SeriesT48S66.9.0.78 and above
T46S
T42S
T41S
T4XG Desk Phone SeriesT48G35.8.0.81 and above
T46G28.8.0.81 and above
T41P/T42G29.8.0.81 and above

Frequently Asked Questions

All answers to the best of my knowledge while the detail unfolds. Subscribe to the email updates to stay informed.

Does this affect phones connecting to Skype for Business Online?

Yes

Does this affect phones connecting to Skype for Business Server?

No, unless you specifically SfB server for oAuth sign in

Does this affect phones connecting to Skype for Business Server but using Exchange UM Online or Cloud Voicemail?

Yes, since they have to authenticate to Office 365, but awaiting confirmation

Does this affect SfB Online certified phones being used against Microsoft Teams via the Cloud Interop Gateway?

Yes

Will it be the same app/consent allow all phones of a specific vendor to connect? e.g. is this a one time action per phone vendor (or model)?

App consent is once per 3PIP vendor, so once for Poly, AudioCodes, Yealink and Crestron.

Will there be Office 365 message centre communications?

Yes.

What about Lync Phone Edition?

LPE is out of support and end of life. They will shortly not sign into Office 365 due to TLS1.2/3DES, and this will also prevent them from signing in

Does this apply to Microsoft Teams (native) Phones?

No, Teams Phones run android and then a native Microsoft produced Teams app and uses native oauth and sign in.

The original Microsoft Blog Post

If you are interested, here are some snippets from the original Skype for Business Blog. Thanks to Tom Morgan for highlighting it on twitter.

To provide our customers with best-in-class security across our services, Microsoft is implementing the use of Microsoft Identity Platform 2.0 (an evolution of the Azure Active Directory identity service) which uses the OAuth 2.0 authorization protocol.

OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user, through a third-party application ID.

As result of this change, Skype for Business IP Phone partners have made a code change to use partner specific application ID. When deployed, the customer tenant admin will be required to confirm consent to allow the third-party phone application to be granted the necessary permissions (the same permissions currently being used by Skype for Business IP Phones).

All certified Skype for Business IP phones must be updated by July 1st, 2019. Without the update, successful authentication to Microsoft services on IP Phones will fail. Customers are encouraged to work with their certified Skype for Business IP Phone provider to make the update before the deadline.

Reference:

About the author

Tom Arbuthnot

A Microsoft MVP and Microsoft Certified Master, Tom Arbuthnot is Principal Solutions Architect at Microsoft Collaboration specialists Modality Systems.

Tom stays up to date with industry developments and shares news and his opinions on his blog, Microsoft Teams Podcast and email list. He is a regular speaker at events around the world.

27 comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Thanks for the article Tom. If this affects On-Premises Deployments if they use Exchange Online, this must also mean that this change affects any device manufacturer whose devices us Exchange Online for Calendar information, such as the Evoko Room Management software (to name just one, there are many). Do we know if from 1st July, any device using Exchange Online for Calendar Management (inline with Skype for Business On-Premises) will be affected? If so, would you agree the timelines are short?

  • Any update on the Polycom VVX and Trio firmware’s? I see Polycom UC Software 6.0.0.4796 already available on their website. This versioning seems greater than the “5.9.3” posted above. Does that mean it’ll work with Microsoft’s Modern Auth/ OAuth 2.0 changes post July 19th?

  • Hi Tom,
    Thank you. Do you have any news about Yealink?

    Small typo: App Concent is once per 3PIP vendor, so once for Poly, AudioCodes, Yealink and Crestron.

    • No new yet. They are supposed to be dropping me an email when they have firmware versions and a link.

      Thanks for the typo heads up. Fixed.

      • Tom can we use the approval link now for the polycom and still have our existing phone work with skype and then as the firmware comes out for the vvx we just need to update them for the user to be able to log into skype. I don’t want to have to wait to the last minute to update around 90 vvx phones

      • Tom can we go ahead and use the Polycom approval link now and still not have an issue with our existing phones that are connected to skype? Then when the firmware comes out for the vvx phone all we need to do is update them so they can use the single ID? I have about 90 phones in my organization that we need to update.

  • Anyone has clarification on the “Does this affect phones connecting to Skype for Business Server but using Exchange UM Online or Cloud Voicemail?” case? More specificaly on a case where Oauth is used in 0365 but not on the SfB server? Thanks

    • I would like to know as well Last VVX 500/600 legacy firmware is 5.9.2.xxxx April 12 2019, talk about leaving it to the last minute, I haven’t seen an message center communication either, I thought they were suppose to give like 3-6 months notice on major changes like this. with less than 4 weeks to go its not leaving much time for testing etc.

      • Hi WPJ,

        MSFT have moved the date back now. 15th May Update: The date has moved from July 1st 2019 to January 15, 2020.

        Gives everyone a bit more time to get lined up.

        • Tom yes I noticed that after I posted, how ever the poly advisor also now says 5.9.4 to have the fix and that’s now expected until Q4 2019 so they are still cutting it close.

  • Hi Tom,

    The URL for Polycom phones does not seem to work. I get:

    AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: ‘a850aaae-d5a5-4e82-877c-ce54ff916282’.

    • Scott, that URL is valid (I just tested it again). You need to be a Global Admin in order to accept the requested rights for the O365 tenant. (Also note that Poly’s uses a redirection to a page to confirm that the application approval process completed successfully. The other vendor’s links are not doing that so they may not actually appear to work by comparison.)

    • It works, it’s just there is no ‘finishing landing page’ so it looks like it doesn’t work.

      Check your portal and you will see it’s approved.

  • Hi Tom,

    Do you know what URL & Ports are to be opened from the IP phone subnet for Web Sign-in to work successfully?

  • Agreeing to Microsoft’s change to utilizing the OAuth 2.0 convention with Skype for Business telephones will require applying a firmware update to those telephones and giving authoritative assent. Microsoft’s telephone equipment accomplices, for example, AudioCodes, Crestron, Polycom and Yealink, are as of now concluding the new OAuth 2.0 firmware refreshes for Skype for Business telephones.

Tom Talks Microsoft Teams and Microsoft 365 Collaboration news and opinions