15th May 2019 Update: The date has moved from July 1st 2019 to January 15, 2020.
12th January 2020 Update: The date has moved to 15th July 2020 – details here
If you have SfB Certified IP Phones (3PIP) from AudioCodes, Crestron, Polycom or Yealink signing into to Skype for Business Online (or Microsoft Teams via cloud interop), you will need to firmware update them and take one time tenant admin steps to approve each vendor’s phones sign in to your Office 365 tenant (once per vendor) or they will fail to sign in after January 15, 2020.
Today all certified phones used the same single Azure application ID, which is used as part the process for signing into Office 365. Microsoft is moving authentication a model where each 3rd party phone vendor will each have a unique vendor application ID.
Each vendor will issue updated firmware with their application ID embedded.
Each vendor “app ID” needs approval by a tenant admin before phones with that ID/from that vendor will be able to sign in to your tenant. This means the approval must be completed before you move to this updated firmware(s).
Approval Process
Approval involves clicking a link each vendor will provide:
- Poly approval URL (Poly official advisory)
- Crestron approval URL (thanks to Crestron)
- AudioCodes approval URL (thanks AudioCodes)
- Yealink approval URL (thanks Yealink blog)
I will list them on this blog as they become available. The URL grants the following permissions
These permissions are no different from what the phones have today.
Each vendor will be providing specific details of which firmware has their new application ID in, and the above approval process will need to be completed before phones with that firmware will be able to sign in so this process will need to be carefully managed/synchronised.
You can see the application ID as approved in Azure AD
Firmware Versions
I will list the firmware versions as they are released. Today no vendors have GA firmware with their own app ID.
Polycom firmware versions with target dates (via Adam Jacobs)
| Device name | Software Version | Timeline |
| VVX Phones | 5.9.3 | Mid-May |
| Poly Trio | 5.9.0 Rev AB | Mid-May |
| Group Series | 6.2.1.1 | Mid-June |
Yealink
| Series | Model | Version |
| T5X Desk Phone Series | T58A | 55.9.0.13 and above |
| T56A | ||
| T55A | ||
| Conference Phone | CP960 | 73.8.0.34 and above |
| T4XS Desk Phone Series | T48S | 66.9.0.78 and above |
| T46S | ||
| T42S | ||
| T41S | ||
| T4XG Desk Phone Series | T48G | 35.8.0.81 and above |
| T46G | 28.8.0.81 and above | |
| T41P/T42G | 29.8.0.81 and above |
Frequently Asked Questions
All answers to the best of my knowledge while the detail unfolds. Subscribe to the email updates to stay informed.
Does this affect phones connecting to Skype for Business Online?
Yes
Does this affect phones connecting to Skype for Business Server?
No, unless you specifically SfB server for oAuth sign in
Does this affect phones connecting to Skype for Business Server but using Exchange UM Online or Cloud Voicemail?
Yes, since they have to authenticate to Office 365, but awaiting confirmation
Does this affect SfB Online certified phones being used against Microsoft Teams via the Cloud Interop Gateway?
Yes
Will it be the same app/consent allow all phones of a specific vendor to connect? e.g. is this a one time action per phone vendor (or model)?
App consent is once per 3PIP vendor, so once for Poly, AudioCodes, Yealink and Crestron.
Will there be Office 365 message centre communications?
Yes.
What about Lync Phone Edition?
LPE is out of support and end of life. They will shortly not sign into Office 365 due to TLS1.2/3DES, and this will also prevent them from signing in
Does this apply to Microsoft Teams (native) Phones?
No, Teams Phones run android and then a native Microsoft produced Teams app and uses native oauth and sign in.
The original Microsoft Blog Post
If you are interested, here are some snippets from the original Skype for Business Blog. Thanks to Tom Morgan for highlighting it on twitter.
To provide our customers with best-in-class security across our services, Microsoft is implementing the use of Microsoft Identity Platform 2.0 (an evolution of the Azure Active Directory identity service) which uses the OAuth 2.0 authorization protocol.
OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user, through a third-party application ID.
As result of this change, Skype for Business IP Phone partners have made a code change to use partner specific application ID. When deployed, the customer tenant admin will be required to confirm consent to allow the third-party phone application to be granted the necessary permissions (the same permissions currently being used by Skype for Business IP Phones).
All certified Skype for Business IP phones must be updated by July 1st, 2019. Without the update, successful authentication to Microsoft services on IP Phones will fail. Customers are encouraged to work with their certified Skype for Business IP Phone provider to make the update before the deadline.
Reference:
Thank you very much.
[…] All Skype for Business IP Phones must be firmware updated by July 1st 2019 to continue to sign into Office 365 – Tom Talks — Read on tomtalks.blog/2019/04/all-skype-for-business-ip-phones-must-be-firmware-updated-by-july-1st-2019-to-… […]
Thanks for the article Tom. If this affects On-Premises Deployments if they use Exchange Online, this must also mean that this change affects any device manufacturer whose devices us Exchange Online for Calendar information, such as the Evoko Room Management software (to name just one, there are many). Do we know if from 1st July, any device using Exchange Online for Calendar Management (inline with Skype for Business On-Premises) will be affected? If so, would you agree the timelines are short?
Any update on the Polycom VVX and Trio firmware’s? I see Polycom UC Software 6.0.0.4796 already available on their website. This versioning seems greater than the “5.9.3” posted above. Does that mean it’ll work with Microsoft’s Modern Auth/ OAuth 2.0 changes post July 19th?
Hi Tom,
Thank you. Do you have any news about Yealink?
Small typo: App Concent is once per 3PIP vendor, so once for Poly, AudioCodes, Yealink and Crestron.
No new yet. They are supposed to be dropping me an email when they have firmware versions and a link.
Thanks for the typo heads up. Fixed.
Tom can we use the approval link now for the polycom and still have our existing phone work with skype and then as the firmware comes out for the vvx we just need to update them for the user to be able to log into skype. I don’t want to have to wait to the last minute to update around 90 vvx phones
Hi, yes you can do the approval link now and it will have no negative affect on the current firmware signing in.
Thank you
Yealink approval link DOES NOT WORK – results in 404 after auth. As of today July 12, 2019, ALL OF MY Yealink T48 and T58 Skype for business phones are NO LONGER RINGING when incoming calls are placed – Teams clients are working, but that’s not an acceptable workaround – we need our 3pIP phones to be able to answer – I am upgraded on all of my Yealink devices to the recommended firmware for the July change to teams, but the phones are NOT ringing when calls come in….
Please help, and find out who makes changes like this at MS without notifying customers that their 3pip phones will STOP WORKING???? As a preferred MS hardware supplier, why have Yealink phones not been tested against this version of teams on a test O365 tenant???? Who runs QC at MS anymore????
Someone with authority please call Mark Russinovich at Azure and ask him to help out the O365 product managers to do things the RIGHT WAY!!!!
Thanks
Tom Dzmura
IT Director
Evolution Energy
740-269-2440
Tom can we go ahead and use the Polycom approval link now and still not have an issue with our existing phones that are connected to skype? Then when the firmware comes out for the vvx phone all we need to do is update them so they can use the single ID? I have about 90 phones in my organization that we need to update.
Anyone has clarification on the “Does this affect phones connecting to Skype for Business Server but using Exchange UM Online or Cloud Voicemail?” case? More specificaly on a case where Oauth is used in 0365 but not on the SfB server? Thanks
Tom
Has Polycom released the firmware for the vvx phones yet?
I would like to know as well Last VVX 500/600 legacy firmware is 5.9.2.xxxx April 12 2019, talk about leaving it to the last minute, I haven’t seen an message center communication either, I thought they were suppose to give like 3-6 months notice on major changes like this. with less than 4 weeks to go its not leaving much time for testing etc.
Hi WPJ,
MSFT have moved the date back now. 15th May Update: The date has moved from July 1st 2019 to January 15, 2020.
Gives everyone a bit more time to get lined up.
Tom yes I noticed that after I posted, how ever the poly advisor also now says 5.9.4 to have the fix and that’s now expected until Q4 2019 so they are still cutting it close.
Yealink has a problem with their authorization link. After clicking ‘Accept’ it redirects to ‘localhost’, even when using the link directly on their blog.
Hi Stephan, The redirect should just go to a page the vendor defines. Like a ‘thanks for clicking the link’. I expect the authorisation worked. You can check it per the screenshots above on the Azure AD portal.
Thanks Tom for comprehensive guidance.
Hi Tom,
The URL for Polycom phones does not seem to work. I get:
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: ‘a850aaae-d5a5-4e82-877c-ce54ff916282’.
Scott, that URL is valid (I just tested it again). You need to be a Global Admin in order to accept the requested rights for the O365 tenant. (Also note that Poly’s uses a redirection to a page to confirm that the application approval process completed successfully. The other vendor’s links are not doing that so they may not actually appear to work by comparison.)
?
Please update ETA dates for Poly:
* VVX – Q4 Calendar Year 2019
* Trio – August 2019
* RealPresence – June 2019
* CX5500 – TBD
https://support.polycom.com/content/dam/polycom-support/products/voice/polycom-uc/other-documents/en/2019/microsoft-online-registration-azure-application-id.pdf
Thanks!
It seems that the YeaLink URL does not work, anyone got it working?
It works, it’s just there is no ‘finishing landing page’ so it looks like it doesn’t work.
Check your portal and you will see it’s approved.
Still not working for me and I’ve emailed them twice now.
Hi Tom,
Do you know what URL & Ports are to be opened from the IP phone subnet for Web Sign-in to work successfully?
Agreeing to Microsoft’s change to utilizing the OAuth 2.0 convention with Skype for Business telephones will require applying a firmware update to those telephones and giving authoritative assent. Microsoft’s telephone equipment accomplices, for example, AudioCodes, Crestron, Polycom and Yealink, are as of now concluding the new OAuth 2.0 firmware refreshes for Skype for Business telephones.
[…] All Skype for Business IP Phones must be firmware updated by January 15, 2020 to continue to sign in… Tom’s Blog […]
From my understanding, when we upgrade the firmware to latest version(poly), even with SFB OnPrem we experience issue in Exchange calendar sync, we get error like “the user or administrator has not consented to use the application with ID ‘xxyyyzzzz’ named Polycom – Skype for Business Certified Phone”. so,as conclusion either onprem or online, the device has issue once its upgraded to latest firmware. when you downgrade to lower / old version like 5.8.x its working fine. hope this helps.!!