15th May Update: The date has moved from July 1st 2019 to January 15, 2020.
If you have SfB Certified IP Phones (3PIP) from AudioCodes, Crestron, Polycom or Yealink signing into to Skype for Business Online (or Microsoft Teams via cloud interop), you will need to firmware update them and take one time tenant admin steps to approve each vendor’s phones sign in to your Office 365 tenant (once per vendor) or they will fail to sign in after January 15, 2020.
Today all certified phones used the same single Azure application ID, which is used as part the process for signing into Office 365. Microsoft is moving authentication a model where each 3rd party phone vendor will each have a unique vendor application ID.
Each vendor will issue updated firmware with their application ID embedded.
Each vendor “app ID” needs approval by a tenant admin before phones with that ID/from that vendor will be able to sign into your tenant. This means the approval must be completed before you move to this updated firmware(s).
Approval involves clicking a link each vendor will provide:
- Poly approval URL (Poly official advisory)
- Crestron approval URL (thanks to Crestron)
- AudioCodes approval URL (thanks AudioCodes)
- Yealink approval URL (thanks Yealink blog)
I will list them on this blog as they become available. The URL grants the following permissions
These permissions are no different from what the phones have today.
Each vendor will be providing specific details of which firmware has their new application ID in, and the above approval process will need to be completed before phones with that firmware will be able to sign in so this process will need to be carefully managed/synchronised.
I will list the firmware versions as they are released. Today no vendors have GA firmware with their own app ID.
Polycom firmware versions with target dates (via Adam Jacobs)
|Device name||Software Version||Timeline|
|Poly Trio||5.9.0 Rev AB||Mid-May|
|T5X Desk Phone Series||T58A||126.96.36.199 and above|
|Conference Phone||CP960||188.8.131.52 and above|
|T4XS Desk Phone Series||T48S||184.108.40.206 and above|
|T4XG Desk Phone Series||T48G||220.127.116.11 and above|
|T46G||18.104.22.168 and above|
|T41P/T42G||22.214.171.124 and above|
Frequently Asked Questions
All answers to the best of my knowledge while the detail unfolds. Subscribe to the email updates to stay informed.
Does this affect phones connecting to Skype for Business Online?
Does this affect phones connecting to Skype for Business Server?
No, unless you specifically SfB server for oAuth sign in
Does this affect phones connecting to Skype for Business Server but using Exchange UM Online or Cloud Voicemail?
Yes, since they have to authenticate to Office 365, but awaiting confirmation
Does this affect SfB Online certified phones being used against Microsoft Teams via the Cloud Interop Gateway?
Will it be the same app/consent allow all phones of a specific vendor to connect? e.g. is this a one time action per phone vendor (or model)?
App consent is once per 3PIP vendor, so once for Poly, AudioCodes, Yealink and Crestron.
Will there be Office 365 message centre communications?
What about Lync Phone Edition?
LPE is out of support and end of life. They will shortly not sign into Office 365 due to TLS1.2/3DES, and this will also prevent them from signing in
Does this apply to Microsoft Teams (native) Phones?
No, Teams Phones run android and then a native Microsoft produced Teams app and uses native oauth and sign in.
The original Microsoft Blog Post
To provide our customers with best-in-class security across our services, Microsoft is implementing the use of Microsoft Identity Platform 2.0 (an evolution of the Azure Active Directory identity service) which uses the OAuth 2.0 authorization protocol.
OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user, through a third-party application ID.
As result of this change, Skype for Business IP Phone partners have made a code change to use partner specific application ID. When deployed, the customer tenant admin will be required to confirm consent to allow the third-party phone application to be granted the necessary permissions (the same permissions currently being used by Skype for Business IP Phones).
All certified Skype for Business IP phones must be updated by July 1st, 2019. Without the update, successful authentication to Microsoft services on IP Phones will fail. Customers are encouraged to work with their certified Skype for Business IP Phone provider to make the update before the deadline.