Protect your Teams devices from Conditional Access

Published August 22, 2022

This article is related to all Teams android devices i.e. Phones, Meeting Rooms (MTR), Panels and Displays.

It is necessary and required to configure Intune and Conditional Access in a supported way for the Teams devices. The most common issues are not being able to sign in, randomly signing out, freezing/crashing and sign-in loops. The random sign out issue is mostly caused by Conditional Access marking device objects as non-compliant, however the Intune Compliance policies can also mark the device objects as non-compliant.   When the device object is marked as non-compliant, our Azure AD token issuing service stops renewing the tokens for the device object and in some cases revokes the token.  Thus making the phone sign out because it can’t get an updated authentication token.   So the goal is to protect your device objects from being marked as non-compliant.  

This is a very common issue with all Teams device customers.  These unsupported settings for the Teams devices, have likely been preconfigured to affect mobile phones or laptops, in Conditional Access policies.  Any or all of those unsupported settings will cause the device object to be marked as non-compliant.    

Check your device object to see if its being marked as not compliant in AAD and Intune.

There is another settings in Conditional Access that is supported but will cause the same bad behavior and that is a Session control for “Sign-in Frequency”.  This will force periodic reauthentication which makes the phones sign out randomly depending on how many of your CA policies have different sign-in frequencies set.   The sign-in frequency specifically causes the token to be revoked which will make a new device object get created under the user account every time they sign in. This can be problematic because it could cause you to hit the Azure AD device limit or Intune device limit which will prevent the user from being able to sign-in to the phone.

The Terms of Use feature in Conditional Access is another one of those….its supported but it causes problems with the Teams devices. 

The fix for all of the issues caused by the Conditional Access settings, is to create a Device Filter on each policy to exclude the devices using filter.   Here is an example of what the filter should look like.   This will exclude only your device objects from being marked as non-compliant or from forced reauthentication.   It does not exclude the user accounts.  All settings will still apply to the user as they sign-in.   Currently this is the only way we have to protect the device objects so they can continue to receive the necessary authentication tokens.

Use Manufacturer or Model. Operators that work best: Contains, Starts With, In

NOTE: If you have not successfully enrolled your Teams devices in Intune, the device filters will not work. This is also true for the Azure AD Dynamic Device groups. You need to have the devices enrolled because Intune is responsible for taking the manufacturer and model attributes and making them available to Azure AD.

As a Teams Administrator you may not have access or permission to view and change things in Conditional Access and Intune. When talking to individuals that manage those platforms you can share the articles below with them. Since you cant sign-in to anything with a device object, excluding them it doesn’t provide any additional access.   It is more risky to have these phones signed out and then have an emergency where you would not be able to dial 911 from these phones because they are signed out.    These device filters are required to fix this issue and many other issues with these Teams devices.

Please review this first article while looking at each and every one of the settings in all of your Conditional Access policies and Intune Compliance Policies. 

https://docs.microsoft.com/en-us/microsoftteams/rooms/supported-ca-and-compliance-policies?tabs=phones

https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy#microsoft-teams-android-devices

https://docs.microsoft.com/en-us/microsoftteams/rooms/conditional-access-and-compliance-for-devices

https://docs.microsoft.com/en-us/MicrosoftTeams/devices/authentication-best-practices-for-android-devices#using-filters-for-devices

https://docs.microsoft.com/en-us/microsoftteams/troubleshoot/teams-rooms-and-devices/rooms-known-issues#teams-phone-devices

How can you prove that Conditional Access is the cause of your Teams devices signing out or being marked as not compliant? Go to the Azure AD Sign-in logs. Filter for Status: Failure and Application: contains Teams. Look at the User sign-ins (non-interactive) tab.

Look for failures with the Application type: Microsoft Teams, Microsoft Teams Service or Microsoft Teams – Device Admin Agent

530002 is caused by the Conditional Access Session Control “Sign-in frequency” setting. In this case the device objects were compliant but the details of the error message make it look like its a compliance issue. As stated above, this setting causes the authentication token to be revoked which forces the sign out.

Select the Conditional Access tab to see which policy caused the failure.

Click on the policy showing Result: Failure. In this screen shot, you can see that the device objects was affected but the user object was not.

Here is a video to show you how to properly configure your Intune and Conditional access environment for the Teams Devices.

2 thoughts on “Protect your Teams devices from Conditional Access

  1. Pingback: Protect your Teams devices from Conditional Access – JC's Blog-O-Gibberish

  2. Pingback: Teams Calling | Welcome to Pariswells.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s