How different technologies affect Microsoft Teams sign-on
If you need to understand how technologies like single sign-on (SSO), modern authentication (MS), and multifactor authentication (MA) affect users' experience of sign-in, this article will help clarify what users and admins can expect to see. It also outlines the log-in behavior for macOS, android, and iOS devices, how login works using multiple accounts, how to remove automatically filled credentials or 'pre-fill' at the login screen, and how to restrict sign-on.
Bookmark this article if your role involves knowing Microsoft Team's expected behaviors during login.
Microsoft Teams and Windows users: sign-in recommendations
Microsoft recommends that organizations use recent versions of Windows 10 with either Hybrid Domain Join or Azure AD Join configuration. Using recent versions ensures that users' accounts are primed in Windows' Web Account Manager, which in turn enables single sign-on to Teams and other Microsoft applications. Single sign-on provides a better user experience (silent sign-in) and a better security posture.
Microsoft Teams uses modern authentication to keep the sign-in experience simple and secure. To see how users sign in to Teams, read Sign in to Teams.
How modern authentication (MA) affects your sign-in: what users will see when MA is on
Modern authentication is part of a process that lets Teams know that users have already entered their credentials -- such as their work email and password -- elsewhere, and they shouldn't be required to enter them again to start the app. The experience varies depending on a couple factors, like if users are working in a Windows operating system, or on a Mac.
Sign-in behavior will also vary depending on whether your organization has enabled single-factor authentication or multifactor authentication. Multifactor authentication usually involves verifying credentials via a phone, providing a unique code, entering a PIN, or presenting a thumbprint.
Modern authentication is available for every organization that uses Teams. If users aren't able to complete the process, there might be an underlying issue with your organization's Azure AD configuration. For more information, see Why am I having trouble signing in to Microsoft Teams?
Here's a rundown of the behavior users can expect with each modern authentication scenario.
If users have already signed in to Windows or to other Office apps with their work or school account, when they start Teams they're taken straight to the app. There's no need for them to enter their credentials.
Microsoft recommends using Windows 10 version 1903 or later for the best Single Sign-On experience.
If users are not signed in to their Microsoft work or school account anywhere else, when they start Teams, they're asked to provide either single-factor or multifactor authentication (SFA or MFA). This process depends on what your organization has decided they'd like the sign-in procedure to require.
If users are signed in to a domain-joined computer, when they start Teams, they might be asked to go through one more authentication step, depending on whether your organization opted to require MFA or if their computer already requires MFA to sign in. If their computer already requires MFA to sign in, when they open up Teams, the app automatically starts.
On Domain joined PCs, when SSO isn't possible, Teams may pre-fill its login screen with the user principal name (UPN). There are cases where you may not want this, especially if your organization uses different UPNs on-premises and in Azure Active Directory. If that's the case, you can use the following Windows registry key to turn off pre-population of the UPN:
Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\Teams
SkipUpnPrefill(REG_DWORD)
0x00000001 (1)Note
Skipping or ignoring user name pre-fill for user names that end in ".local" or ".corp" is on by default, so you don't need to set a registry key to turn these off.
Microsoft Teams sign-on to another account on a Domain Joined computer
Users on domain-joined computer may not be able to sign in to Teams with another account in the same Active Directory domain.
macOS users and Microsoft Teams sign-on prompts
On macOS, Teams will prompt users to enter their username and credentials and may prompt for multifactor authentication depending on your organization's settings. Once users enter their credentials, they won't be required to provide them again. From that point on, Teams automatically starts whenever they're working on the same computer.
Microsoft Teams sign-on for iOS and Android users
Upon sign in, mobile users will see a list of all the Microsoft 365 accounts that are either currently signed-in or were previously signed-in on their device. Users can tap on any of the accounts to sign in. There are two scenarios for mobile sign in:
If the selected account is currently signed in to other Office 365 or Microsoft 365 apps, then the user will be taken straight to Teams. There's no need for the user to enter their credentials.
If user isn't signed in to their Microsoft 365 account anywhere else, they will be asked to provide single-factor or multifactor authentication (SFA or MFA), depending on what your organization has configured for mobile sign-in policies.
Note
For users to experience the sign on experience as described in this section, their devices must be running Teams for iOS version 2.0.13 (build 2020061704) or later, or Teams for Android version 1416/1.0.0.2020061702 or later.
Using Microsoft Teams with multiple sign-in accounts
Teams for iOS and Android supports the use of multiple work or school and multiple personal accounts side by side. Teams desktop applications will support one work/school and one personal account side by side in December 2020, with support for multiple work/school accounts coming at a later date.
The following images show how users can add multiple accounts in Teams mobile applications.
Restrict sign-in to Microsoft Teams
Organization may want to restrict how corporate-approved apps are used on managed devices, for example to restrict students' or employees' ability to access data from other organizations or use corporate-approved apps for personal scenarios. These restrictions can be enforced by setting Devices Policies that Teams applications recognize.
How to restrict Microsoft Teams sign-in on mobile devices
Teams for iOS and Android offers IT administrators the ability to push account configurations to Microsoft 365 accounts. This capability works with any Mobile Device Management (MDM) provider that uses the Managed App Configuration channel for iOS or the Android Enterprise channel for Android.
For users enrolled in Microsoft Intune, you can deploy the account configuration settings using Intune in the Azure portal.
Once account setup configuration has been configured in the MDM provider, and after the user enrolls their device, on the sign-in page, Teams for iOS and Android will only show the allowed account(s) on the Teams sign-in page. The user can tap on any of the allowed accounts on this page to sign in.
Set the following configuration parameters in the Azure Intune portal for managed devices.
| Platform | Key | Value |
|---|---|---|
| iOS | IntuneMAMAllowedAccountsOnly | Enabled: The only account allowed is the managed user account defined by the IntuneMAMUPN key. Disabled (or any value that is not a case insensitive match to Enabled): Any account is allowed. |
| iOS | IntuneMAMUPN | UPN of the account allowed to sign in to Teams. For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account. |
| Android | com.microsoft.intune.mam.AllowedAccountUPNs | Only account(s) allowed are the managed user account(s) defined by this key. One or more semi-colons;]- delimited UPNs. For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account. |
Once the account setup configuration has been set, Teams will restrict the ability to sign in, so that only allowed accounts on enrolled devices will be granted access.
To create an app configuration policy for managed iOS/iPadOS devices, see Add app configuration policies for managed iOS/iPadOS devices.
To create an app configuration policy for managed Android devices, see Add app configuration policies for managed Android devices.
How to restrict Teams sign-in on desktop devices
Microsoft Teams apps on Windows and macOS are gaining support for device policies that restrict sign in to your organization. The policies can be set via usual Device Management solutions such as MDM (Mobile Device Management) or GPO (Group Policy Object).
When this policy is configured on a device, users can only sign in with accounts homed in an Azure AD tenant that is included in the "Tenant Allow List" defined in the policy. The policy applies to all sign-ins, including first and additional accounts. If your organization spans multiple Azure AD tenants, you can include multiple Tenant IDs in the Allow List. Links to add another account may continue to be visible in the Teams app, but they won't be operable.
Note
- The policy only restricts sign-ins. It does not restrict the ability for users to be invited as a guest in other Azure AD tenants, or switch to those other tenants (where users have been invited as a guest).
- The policy requires Teams for Windows version 1.3.00.30866 or higher, and Teams for macOS version 1.3.00.30882 (released mid-November 2020).
Policies for Windows Administrative Template files (ADMX/ADML) are available from the Download center (the policy setting descriptive name in the administrative template file is "Restrict sign in to Teams to accounts in specific tenants"). Additionally, you can manually set keys in Windows Registry:
- Value Name: RestrictTeamsSignInToAccountsFromTenantList
- Value Type: String
- Value Data: Tenant ID, or comma-separated list of Tenant IDs
- Path: use one of the following
Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Cloud\Office\16.0\Teams Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Teams Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Teams
Example: SOFTWARE\Policies\Microsoft\Office\16.0\Teams\RestrictTeamsSignInToAccountsFromTenantList = Tenant ID or SOFTWARE\Policies\Microsoft\Office\16.0\Teams\RestrictTeamsSignInToAccountsFromTenantList = Tenant ID 1,Tenant ID 2,Tenant ID 3
Policies for macOS For macOS managed devices, use .plist to deploy sign-in restrictions. The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
- Domain: com.microsoft.teams
- Key: RestrictTeamsSignInToAccountsFromTenantList
- Data Type: String
- Comments: Enter comma separate list of Azure AD tenant ID(s)
Global sign in and Microsoft Teams
Our improved sign-in experience on shared device provides a hassle free sign-in for Frontline Workers. Employees can pick a device from the shared device pool and do a single sign in to "make it theirs" for the duration of their shift. At the end of their shift, they should be able to perform sign out to globally sign out on the device. See Sign out of Teams to learn more. This will remove all of their personal and company information from the device so they can return the device to the device pool. To get this capability, the device must be set in shared mode. Make sure to end any active meeting or call on the device before signing out.
Android: To learn how to set up android devices in shared mode, see How to use a shared device mode in Android.
iOS: Shared device mode support on iOS is in public preview. To set a device in shared mode on iOS, see How to use shared device mode on iOS. Download Teams app from app store, once the device is set in shared mode. Launch Teams and leave it open for 30 seconds, close the app and relaunch (this step is only needed for public preview phase).
The sign-in experience looks similar to our standard Teams sign-in experience.
Note
This feature is in public preview.
URLs and IP address ranges for Microsoft Teams
Teams requires connectivity to the Internet. To understand endpoints that should be reachable for customers using Teams in Office 365 plans, Government, and other clouds, read Office 365 URLs and IP address ranges.
Related topics
Feedback
Submit and view feedback for