Share via

Teams Rooms and MFA

A Ska 241 Reputation points
2023-11-06T09:25:02.4233333+00:00

Dears

I'm planning to "close" a tenant by forcing all users to adopt MFA.

I've got some doubts about some Teams rooms (on-prem hybrid exchange environment); what if I enable MFA for all users in the Tenant? We've not the AAD premium version.

Is there a way to avoid blocking teams rooms?

Thank you!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Teams | Microsoft Teams for business | Other
Answer accepted by question author
  1. Ran Hou-MSFT 7,625 Reputation points Microsoft External Staff
    2023-11-07T05:11:38.15+00:00

    Hi @A Ska

    Based on our research, if you enable MFA for all users in your tenant, you may end up blocking Teams rooms devices from signing in to Teams and other Microsoft 365 services. To avoid this, there are a few possible solutions that you can try:

    • As @Carlos Solís Salazar mentioned, you can manually enable MFA for each user account in the Admin Center and skip the Teams rooms devices. For more details, you may refer to the article.
    • Alternatively, according to the article, you can use security defaults to enable MFA for all users, but you need to exclude Teams rooms devices from the security defaults. You can do this by creating a group that contains all the Teams rooms devices and adding it to the exclusion list in the security defaults settings.

    Hope the above information is helpful for you!

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carlos Solís Salazar 18,291 Reputation points MVP Volunteer Moderator
    2023-11-06T17:09:00.66+00:00

    You can Enable per-user Microsoft Entra MFA and of course, avoid activating the MFA for the team room users.

    Hope this helps!

    0 comments
  2. A Ska 241 Reputation points
    2023-11-07T11:14:42.11+00:00

    Is there a way to do the opposite of this?

    • Alternatively, according to the article, you can use security defaults to enable MFA for all users, but you need to exclude Teams rooms devices from the security defaults. You can do this by creating a group that contains all the Teams rooms devices and adding it to the exclusion list in the security defaults settings.

    Enable all tenant for MFA and Add an exclusion group to avoid MFA usage?

  3. John Jack 0 Reputation points
    2024-10-14T11:43:14.68+00:00

    Maybe things changed, but as of today, I can only Enable or Disable security defaults.

    Disabling security defaults doesn't seem a real option, this setting is not advised for nothing, and works perfectly, amongst making sure all new accounts are MFA enabled without having to setup custom groups e.g. things that make break at some point/need maintenance and will be a security exception that needs to be explained in audits. How can we exempt team rooms (pro) accounts without impacting the whole of our security (e.g. without disabling security defaults)

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.