Share via

Exclude users from Smart Card authentication when hotdesking on Teams Phone

Hunter Cole Williams 0 Reputation points
2026-01-16T16:41:55.21+00:00

Here is my situation.

My organization has a smart card requirement for all users, and we have some CCX-600 phones we are configuring for hotdesking. I have phones set up with resource accounts, licenses, IPPhonePolicies, and conditional access exemptions. I try to hotdesk to a non-resource account user profile, and I am still met with a certificate/smart card requirement.

How can I exempt users from the smart card requirement when signing in from these Android Teams devices, but keep the requirement for all other sign-ins? In fact, a sign-in using device-code flow and certificate on another device would satisfy my requirement but it seems the certificate-based authentication method overrides device code flow.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-01-16T16:42:03.9566667+00:00

    To exempt users from smart card authentication when hotdesking on Teams Phones, you can utilize Conditional Access policies. Specifically, you should consider the following steps:

    1. Exclude Shared Devices from Smart Card Policies: Ensure that your Conditional Access policies exclude shared devices, such as the CCX-600 phones, from the smart card authentication requirement. This can be done by configuring the policies to apply only to personal devices.
    2. Use Device Filters: Implement device filters in your Conditional Access policies to identify and exclude the shared devices used for hotdesking. By using attributes like model or manufacturer, you can create a policy that enforces smart card authentication for personal devices while exempting shared devices.
    3. Utilize Resource Accounts: Since you already have resource accounts set up for the phones, ensure that these accounts are configured correctly to bypass the smart card requirement when users sign in using these specific devices.
    4. Review Sign-in Frequency Conditions: Check if the sign-in frequency conditions are affecting the authentication process. Excluding shared devices from sign-in frequency policies can help prevent them from being signed out unexpectedly, which may trigger the smart card requirement again.
    5. Test Device Code Flow: If device code flow is an option, ensure that it is properly configured and that the smart card authentication does not override this method. This may involve reviewing the authentication methods allowed for different user types or scenarios.

    By following these steps, you should be able to configure your Teams Phones for hotdesking without enforcing the smart card requirement for users signing in from those devices.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.