Authentication best practices for Teams shared device management on Android devices
The goals of devices used with Teams make different device management strategies necessary. For example, a personal business tablet used by a single sales person has a different set of needs from an on-call phone shared by many customer service people.
Security administrators and operations teams must plan for the devices that can be used in the organization. They must implement security measures best suited to each purpose. This article's recommendations make some of those decisions easier.
Note
Conditional Access requires a Microsoft Entra ID P1 or P2 subscription.
Note
Policies for Android mobile devices may not apply to Teams Android devices.
Authentication recommendations are different for personal versus shared android devices
Shared Teams devices can't use the same requirements for enrollment and compliance that are used on personal devices. Applying personal device authentication requirements to shared devices cause sign in issues.
- Devices are signed out due to password policies.
Accounts used on Teams devices have a password-expiration policy. The accounts used with shared devices don't have a specific user to update and restore them to a working state when their passwords expire. If your organization requires passwords to expire and reset occasionally, these accounts stop working on Teams devices until a Teams administrator resets the password and signs back in.
Challenge: When it comes to accessing. Teams from a device, a person's account has a password-expiration policy. When the password is going to expire, they change it. But accounts used on shared devices(Resource accounts) may not be connected to a single person who can change a password as required. This means a password can expire and leave workers on the spot, not knowing how to resume their work.
When your organization requires a password reset or enforces password expiration, be sure a Teams administrator is prepared to reset the password so these shared accounts can sign back in.
- Devices fail to sign in due to conditional access policies.
Challenge: Shared devices can't comply with Microsoft Entra Conditional Access policies for user accounts or personal devices. If shared devices are grouped with user accounts or personal devices for a Conditional Access policy, the sign-in will fail.
For example, if multifactor authentication is required for accessing Teams, user entry of a code is needed to complete that authentication. Shared devices don't generally have a single user that can configure and complete multifactor authentication. Also, if the account must reauthenticate every X days, a shared device can't resolve the challenge without a user's intervention.
Best practices for the deployment of shared android devices with Teams
Microsoft recommends the following settings when deploying Teams devices in your organization.
Use a Resource account and curtail its password expiration
Teams shared devices should use an Exchange resource mailbox. Creating these mailboxes generates an account automatically. You can either sync these accounts to Microsoft Entra ID from Active Directory or create them directly in Microsoft Entra ID. Any password expiration policies for users will also apply to accounts used on Teams shared devices, therefore, to avoid disruptions caused by password expiration policies, set the password expiration policy for shared devices to never expire.
Starting with Teams devices CY21 Update #1 (Teams version 1449/1.0.94.2021022403 for Teams phones) and CY2021 Update #2 (Teams version 1449/1.0.96.2021051904 for Microsoft Teams Rooms on Android), tenant administrators can sign into Teams devices remotely. Instead of sharing passwords with technicians to set up devices, Tenant administrators should use remote sign-in to issue verification codes. You can sign into these devices from the Teams admin center.
For more information, see Remote provisioning and sign in for Teams Android devices.
Review these Conditional Access policies
Microsoft Entra Conditional Access sets other requirements that devices must meet in order to sign in. For Teams devices, review the guidance that follows to determine if you have authored the policies that allow shared device users to do their work.
Tip
For an overview of Conditional Access, see What is Conditional Access?
Tip
Use either named location or require compliant device to secure shared devices.
You can use location-based access with named locations
If shared devices are provisioned in a well-defined location that can be identified with a range of IP addresses, you can configure Conditional Access using named locations for these devices. This conditional will allow these devices to access your corporate resources only when they are within your network.
When and when not to require compliant shared devices
Note
Device compliance requires an Intune license.
If you're enrolling shared devices into Intune, you can configure device compliance as a control in Conditional Access so that only compliant devices can access your corporate resources. Teams devices can be configured for Conditional Access policies based on device compliance. For more information, see Conditional Access: Require compliant or Microsoft Entra hybrid joined device.
To set compliance setting for your devices using Intune, see Use compliance policies to set rules for devices you manage with Intune.
Note
Shared devices being used for hot-desking should be excluded from compliance policies. Compliance polices prevent the devices from enrolling into the hot desk user account. Instead, use named locations to secure these devices. To increase security, you can also require multi-factor authentication for hot-desking users / user accounts in addition to the named location policies.
Exclude shared devices from sign-in frequency conditions
In Conditional Access, you can configure sign-in frequency to require users to sign in again to access a resource after a specified time period. If sign-in frequency is enforced for room accounts, shared devices sign out until they're signed in again by an admin. Microsoft recommends excluding shared devices from any sign-in frequency policies.
Using Filters for devices
Filters for devices is a feature in Conditional Access that allows you to configure more granular policies for devices based on device properties available in Microsoft Entra ID. You can also use your own custom values by setting extension attributes 1-15 on the device object and then using those.
Use filters for devices to identify your common-area devices and enable policies in two key scenarios:
Excluding shared devices from policies applied for personal devices. For example, requiring device compliance isn't enforced for shared devices used for hot-desking, but is enforced for all other devices, based on model number.
Enforcing special policies on shared devices that shouldn't be applied to personal devices. For example, requiring named locations as policy only for common-area devices based on an extension attribute you set for these devices (for example: “CommonAreaPhone”).
Note
Some attributes such as model, manufacturer, and operatingSystemVersion can only be set when devices are managed by Intune. If your devices are not managed by Intune, use extension attributes.
Microsoft Teams Rooms usage report
New capabilities like the camera video minutes and call minutes data have been added to the Teams Rooms Pro management portal in the report section. This data allows users to track engagement during each meeting and have a better understanding of those data.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for