Modern Authentication on Surface Hub

ByRyan Wold

With the Windows 10 Team 2020 Update we added support for Modern Authentication (OAuth) for the Surface Hub device account. This is covered in more depth in the YouTube video here: How to use Modern Authentication on Surface Hub | Microsoft

The requirements for the Surface Hub to use Modern Authentication are:

  • Surface Hub needs to be running Windows 10 Team 2020 Update 2, build 19042.1566 or newer.
  • Device account needs to be added to the Surface Hub in the UPN format (not DOMAIN\user)
  • Device account mailbox is hosted in Exchange Online
  • Surface Hub does not have the provisioning package/MDM policy deployed to disable Modern Authentication
  • For hybrid AD accounts, cloud authentication must be used. If federated authentication is used, the account authentication with the federated identity provider will still use legacy protocols.

Starting in Windows 10 Team 2020 Update 2 when adding/editing a device account on the Surface Hub, Modern Authentication will always be used to validate the account. So, if the Surface Hub is fully updated, and all the other prerequisites are met (from above), the Surface Hub will be using Modern Authentication. Basic authentication was deprecated from Exchange Online on October 1, 2022.  

How to confirm the Surface Hub device account is not using Legacy/Basic authentication

If you are seeing Exchange Web Services sign-ins within the Azure logs and want to verify Surface Hub device accounts are not using Basic/Legacy authentication you can follow either of the below methods. After applying either of these policies you should observe the Surface Hub device account is fully functional and not blocked, meaning Modern Authentication is being used.

Method 1
Using Exchange Online PowerShell create an authentication policy to block Basic authentication. Assign the authentication policy to a Surface Hub device account and test.

Method 2
Create a Conditional Access policy to block Legacy authentication. Assign the Conditional Access policy to a Surface Hub device account and test.

Note: In some environments creating a Conditional Access policy to block “Other clients” (method 2) will block Surface Hub device account Exchange functionality. This can occur because the legacy authentication category “Other clients” includes Exchange Web Services (EWS). The documentation stating EWS doesn’t support Modern Authentication is incorrect. The Surface Hub uses EWS with Modern Authentication via the OAuth protocol. In the event the Surface Hub is getting blocked by this CA policy, exclude the Surface Hub device accounts from it and use Method 1 to verify instead.

Similar Posts

Configure Homepage for Surface Hub Edge Chromium Browser using Endpoint Manager

ByRyan Wold

To begin we’ll use an Administrative Template to create a policy for Microsoft Edge. Then, we’ll use the search field to find and configure the below: After these two policies are configured we’ll add the Surface Hub device to a group and then assign the group to the configuration profile. After Endpoint Manager syncs with…

Installing Certificates on Surface Hub

ByRyan Wold

Machine CertificatesThere are two ways to install machine certificates on the Surface Hub. User CertificatesTo install certificates to the user store, copy the certificate to a USB drive, insert it into the Surface Hub and navigate to Settings > Updates and Security > Import Certificate. Provisioning PackageProvisioning packages install certificates to the local machine store….

Configure 802.1x Authentication on Surface Hub

ByRyan Wold

In order to connect a Surface Hub to an 802.1x authenticated network, you must configure the device with your organization’s settings. 802.1x networks typically require a network profile and necessary certificates to be installed on the device. In this article we’ll go over how to do this for a Surface Hub. Export network profile Add…

Leave a Reply

Your email address will not be published. Required fields are marked *