Fix Conditional Access-related issues for Teams Android devices
Symptoms
Conditional Access is a Microsoft Entra feature that helps make sure that devices that access corporate resources are correctly managed and secured. If Conditional Access policies are applied to the Teams service, Android devices (including Teams phones, Teams displays, Teams panels, and Microsoft Teams Rooms on Android) that access Teams must comply with the policies. Otherwise, Conditional Access will prevent users from signing in to or using the Teams app on the devices.
If these policies are applied, you might experience one or more of the following issues on non-compliant devices:
- The devices can't sign in to Teams, or they get stuck in sign-in loops.
- The devices automatically sign out of Teams randomly.
- Microsoft Teams freezes or crashes.
Cause
These issues can occur for the following reasons:
Unsupported Conditional Access policy or Intune device compliance policy settings
If a device is marked as non-compliant, the Microsoft Entra token issuing service stops renewing the tokens for the device object, or even revokes the token. In this case, the device can't get an updated authentication token, and it's forced to sign out.
To check the compliance status of your devices, use the Intune Device compliance dashboard.
The Sign-in frequency setting
This setting forces periodic reauthentication. This might cause the devices to sign out randomly, depending on how many of your Conditional Access policies have different sign-in frequencies set. Whenever reauthentication occurs, the token is revoked and a new device object is created under the user account. If the number of device objects exceeds the Microsoft Entra device limit or Intune device limit, the user can't sign in to the device.
The Terms of Use (ToU) and MFA Conditional Access policies, if both are used
For more information, see Known issues with Teams phones.
To check whether the issues are caused by Conditional Access policies, follow these steps:
Go to the sign-in logs in the Azure portal.
Select the User sign-ins (non-interactive) tab.
Select Add filters to add the following filters:
- Status: Select Failure, and then select Apply.
- Application: Enter Teams, and then select Apply.
Look for items of the affected usernames that have the following Application values:
- Microsoft Teams
- Microsoft Teams Service
- Microsoft Teams – Device Admin Agent
Select each item to view details about the failed sign-in. Usually, you can get more information from the following fields on the Basic info tab:
- Sign-in error code
- Failure reason
- Additional Details
If the sign-in error code seems to be related to compliance, select the Conditional Access tab, and then look for policies that show a Failure result.
Review the policy details.
Resolution
To fix the issues that are caused by certain Conditional Access policies, use device filters to exclude the devices from these policies. Commonly used device properties are manufacturer and model. Commonly used operators are Contains, StartsWith, and In.
Note
- Device filters apply to only device objects, not user accounts.
- Some attributes, such as model and manufacturer, can be set only if devices are enrolled in Intune. If your devices aren't enrolled in Intune, use extension attributes.
- If you don't have the required access to configure Conditional Access and Intune compliance policies, work with someone who has access. Check each policy setting for unsupported settings for Teams devices.
The following screenshot shows an example device filter.
References
- Supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms and Teams Android Devices
- App protection policies overview
- Conditional Access and compliance best practices for Microsoft Teams Rooms
- Authentication best practices for Microsoft Teams shared device management of Android devices
- Known issues in Teams Rooms and devices
- Video: Intune Compliance & Conditional Access with Teams Android devices
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for