Conditional Access and Intune compliance for Microsoft Teams Rooms

This article provides requirements and best practices for Conditional Access and Intune device compliance policies for Microsoft Teams Rooms that are used in shared spaces.

Note

To use this feature with a Teams Rooms device, you need to assign a Microsoft Teams Rooms Pro license to the device. For more information, see Microsoft Teams Rooms licenses.

Requirements

Teams Rooms must already be deployed on the devices you want to assign Conditional Access policies to. If you haven't deployed Teams Rooms yet, see Create resource accounts for rooms and shared Teams devices and Deploy Microsoft Teams Rooms on Android for more information.

A Microsoft Entra ID P1 Service Plan is required to use Conditional Access. It's included in the Microsoft Teams Rooms license.

Teams Rooms Conditional Access best practices

Conditional Access policies can secure the sign-in process on devices that are in shared spaces and used by multiple people. For an overview of Conditional Access in Microsoft Entra ID, see What is Conditional Access in Microsoft Entra ID?.

When using Conditional Access to secure Teams Rooms, consider the following best practices:

  • To simplify deployment and management, include all Microsoft 365 room resources accounts associated with Teams Rooms in one user group.

  • Have a naming standard for all Teams Rooms resource accounts. For example, the account names 'mtr-room1@contoso.com' and 'mtr-room2@contoso.com' both start with the prefix 'mtr-'. When account names are standardized, you can use dynamic groups in Microsoft Entra ID to automatically apply Conditional Access policies to all of these accounts at once. See Rules for dynamically populated groups membership for more information on dynamic groups.

For a list of supported Conditional Access assignments for Teams Rooms, see Supported Conditional Access policies.

Example Conditional Access policy

In the example below, the Conditional Access policy works as follows:

  1. The account signing in must be a member of a specific user group, in this example, the "Shared devices" group.

  2. The account signing in must only be trying to access Exchange Online, Microsoft Teams, SharePoint Online, or Microsoft Whiteboard Services. Attempts to sign into any other client app will be rejected.

  3. The resource account must be signing in on the Windows device platform.

  4. The resource account must also sign in from a known, trusted location.

If these conditions are met successfully, and the user enters the correct username and password, then the resource account will sign into Teams.

Conditional Access with Microsoft Intune compliance for Teams Rooms

Compliance requirements are defined rules that devices must meet to be marked as compliant, such as minimum operating system version. Devices must be considered compliant before they can be used to sign into a resource account.

For a list of supported Intune compliance policies for Teams Rooms, see Supported device compliance policies.

For more information on setting up Intune with Teams Android devices, see Configure Intune to enroll Teams Android-based devices.

Example (Windows only): Conditional Access with Intune device compliance

In this example for Teams Rooms on Windows

  1. Require that a firewall is running on Teams Rooms on Windows.

  2. Require that Microsoft Defender is running on Teams Rooms.

  3. If Teams Rooms doesn't meet either of these requirements, it won't be marked as compliant, and the devices won't sign in.

This compliance policy applies to all users, not just Teams resource accounts.