Supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms and Teams Android Devices
This article provides supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms. For best practices and example policies, see Conditional Access and Intune compliance best practices for Microsoft Teams Rooms.
Note
To use this feature with a Teams Rooms device, you need to assign a Microsoft Teams Rooms Pro license to the device. For more information, see Microsoft Teams Rooms licenses.
Note
Teams Rooms must already be deployed on the devices you want to assign Conditional Access policies to. If you haven't deployed Teams Rooms yet, see Create resource accounts for rooms and shared Teams devices and Deploy Microsoft Teams Rooms on Android for more information.
Supported Conditional Access policies
The following list includes the supported Conditional Access policies for Teams Rooms on Windows and Android, and for policies on Teams panels, phones, and displays.
| Assignment | Teams Rooms on Windows | Teams Rooms on Android and panels | Teams phones and displays |
|---|---|---|---|
| User or workload identities | Supported | Supported | Supported |
| Cloud apps or actions | Supported Teams Rooms needs to access the following three Cloud apps when in Teams only mode: Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams |
Supported Teams Rooms needs to access the following three Cloud apps when in Teams only mode: Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams |
Supported Teams Android devices need to access the following three Cloud apps: Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams |
| Conditions | --- | --- | --- |
| User risk | Supported | Supported | Supported |
| Sign-in risk | Supported | Supported | Supported |
| Device platforms | Supported | Supported | Supported |
| Locations | Supported | Supported | Supported |
| Client apps | Not supported | Not supported | Not supported |
| Filter for devices | Supported | Supported | Supported |
| Grant | --- | --- | --- |
| Block access | Supported | Supported | Supported |
| Grant access | Supported | Supported | Supported |
| Require multi-factor authentication | Not supported | Not supported | Supported |
| Require device to be marked as compliant | Supported | Supported | Supported |
| Require Hybrid Azure AD joined device | Not supported | Not supported | Not supported |
| Require approved client app | Not supported | Not supported | Not supported |
| Require app protection policy | Not supported | Not supported | Not supported |
| Require password change | Not supported | Not supported | Not supported |
Note
Skype for Business Online is retired and not supported. Skype for Business Online cloud app is not supported for device compliance based Conditional Access policies.
Note
Microsoft Teams Rooms on Windows must meet the following requirements to support device compliance grant controls:
- Microsoft Teams Rooms application 4.8.19.0 or above
- Windows 10 version 20H2 and above (10.0.19042)
Supported device compliance policies
Microsoft Teams Rooms on Windows and Teams Rooms on Android support different device compliance policies.
Below is a table of device compliance settings and recommendations for their use with Teams Rooms.
| Policy | Availability | Notes |
|---|---|---|
| Device health | -- | -- |
| Require BitLocker | Supported | Only use if you have first enabled BitLocker on Teams Rooms. |
| Require Secure Boot to be enabled on the device | Supported | Secure Boot is a requirement for Teams Rooms. |
| Require code integrity | Supported | Code integrity is already a requirement for Teams Rooms. |
| Device Properties | -- | -- |
| Operating System Version (minimum, maximum) | Not supported | Teams Rooms automatically updates to newer versions of Windows and setting values here could prevent successful sign-in after an OS update. |
| OS version for mobile devices (minimum, maximum) | Not supported. | |
| Valid operating system builds | Not supported | |
| Configuration Manager Compliance | -- | -- |
| Require device compliance from Configuration Manager | Supported | |
| System security | -- | -- |
| All password policies | Not supported | Password policies can prevent the local Skype account from automatically signing in. |
| Require encryption of data storage on device. | Supported | Only use if you have first enabled encryption of data storage on Teams Rooms. |
| Firewall | Supported | Firewall is already a requirement for Teams Rooms |
| Trusted Platform Module (TPM) | Supported | Trusted Platform Module (TPM) is already a requirement for Teams Rooms. |
| Antivirus | Supported | Antivirus (Windows Defender) is already a requirement for Teams Rooms. |
| Antispyware | Supported | Antispyware (Windows Defender) is already a requirement for Teams Rooms. |
| Microsoft Defender Antimalware | Supported | Microsoft Defender Antimalware is already a requirement for Teams Rooms. |
| Microsoft Defender Antimalware minimum version | Not supported. | Teams Rooms automatically updates this component so there's no need to set compliance policies. |
| Microsoft Defender Antimalware security intelligence up-to-date | Supported | Validate that Microsoft Defender Antimalware is already a requirement for Teams Rooms. |
| Real-time protection | Supported | Real-time protections are already a requirement for Teams Rooms. |
| Microsoft Defender for Endpoint | -- | -- |
| Require the device to be at or under the machine risk score. | Supported |
Feedback
Submit and view feedback for