Teams Rooms and MFA

A Ska 241 Reputation points
2023-11-06T09:25:02.4233333+00:00

Dears

I'm planning to "close" a tenant by forcing all users to adopt MFA.

I've got some doubts about some Teams rooms (on-prem hybrid exchange environment); what if I enable MFA for all users in the Tenant? We've not the AAD premium version.

Is there a way to avoid blocking teams rooms?

Thank you!

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
10,479 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,514 questions
{count} votes

Accepted answer
  1. Ran Hou-MSFT 7,545 Reputation points Microsoft Vendor
    2023-11-07T05:11:38.15+00:00

    Hi @A Ska

    Based on our research, if you enable MFA for all users in your tenant, you may end up blocking Teams rooms devices from signing in to Teams and other Microsoft 365 services. To avoid this, there are a few possible solutions that you can try:

    • As @Carlos Solís Salazar mentioned, you can manually enable MFA for each user account in the Admin Center and skip the Teams rooms devices. For more details, you may refer to the article.
    • Alternatively, according to the article, you can use security defaults to enable MFA for all users, but you need to exclude Teams rooms devices from the security defaults. You can do this by creating a group that contains all the Teams rooms devices and adding it to the exclusion list in the security defaults settings.

    Hope the above information is helpful for you!


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



3 additional answers

Sort by: Most helpful
  1. Carlos Solís Salazar 17,976 Reputation points MVP
    2023-11-06T17:09:00.66+00:00

    You can Enable per-user Microsoft Entra MFA and of course, avoid activating the MFA for the team room users.

    Hope this helps!

    0 comments No comments

  2. A Ska 241 Reputation points
    2023-11-07T11:14:42.11+00:00

    Is there a way to do the opposite of this?

    • Alternatively, according to the article, you can use security defaults to enable MFA for all users, but you need to exclude Teams rooms devices from the security defaults. You can do this by creating a group that contains all the Teams rooms devices and adding it to the exclusion list in the security defaults settings.

    Enable all tenant for MFA and Add an exclusion group to avoid MFA usage?


  3. John Jack 0 Reputation points
    2024-10-14T11:43:14.68+00:00

    Maybe things changed, but as of today, I can only Enable or Disable security defaults.

    Disabling security defaults doesn't seem a real option, this setting is not advised for nothing, and works perfectly, amongst making sure all new accounts are MFA enabled without having to setup custom groups e.g. things that make break at some point/need maintenance and will be a security exception that needs to be explained in audits. How can we exempt team rooms (pro) accounts without impacting the whole of our security (e.g. without disabling security defaults)


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.