Fix Conditional Access-related issues for Teams Android devices

  • Article
  • Applies to:
    Microsoft Teams

Symptoms

Conditional Access is a Microsoft Entra feature that helps make sure that devices that access corporate resources are correctly managed and secured. If Conditional Access policies are applied to the Teams service, Android devices (including Teams phones, Teams displays, Teams panels, and Microsoft Teams Rooms on Android) that access Teams must comply with the policies. Otherwise, Conditional Access will prevent users from signing in to or using the Teams app on the devices.

If these policies are applied, you might experience one or more of the following issues on non-compliant devices:

  • The devices can't sign in to Teams, or they get stuck in sign-in loops.
  • The devices automatically sign out of Teams randomly.
  • Microsoft Teams freezes or crashes.

Cause

These issues can occur for the following reasons:

  • Unsupported Conditional Access policy or Intune device compliance policy settings

    If a device is marked as non-compliant, the Microsoft Entra token issuing service stops renewing the tokens for the device object, or even revokes the token. In this case, the device can't get an updated authentication token, and it's forced to sign out.

    To check the compliance status of your devices, use the Intune Device compliance dashboard.

  • The Sign-in frequency setting

    This setting forces periodic reauthentication. This might cause the devices to sign out randomly, depending on how many of your Conditional Access policies have different sign-in frequencies set. Whenever reauthentication occurs, the token is revoked and a new device object is created under the user account. If the number of device objects exceeds the Microsoft Entra device limit or Intune device limit, the user can't sign in to the device.

  • The Terms of Use (ToU) and MFA Conditional Access policies, if both are used

    For more information, see Known issues with Teams phones.

To check whether the issues are caused by Conditional Access policies, follow these steps:

  1. Go to the sign-in logs in the Azure portal.

  2. Select the User sign-ins (non-interactive) tab.

  3. Select Add filters to add the following filters:

    • Status: Select Failure, and then select Apply.
    • Application: Enter Teams, and then select Apply.

    Screenshot of the Status and Application filters.

  4. Look for items of the affected usernames that have the following Application values:

    • Microsoft Teams
    • Microsoft Teams Service
    • Microsoft Teams – Device Admin Agent

  5. Select each item to view details about the failed sign-in. Usually, you can get more information from the following fields on the Basic info tab:

    • Sign-in error code
    • Failure reason
    • Additional Details

    Screenshot of the Basic info page of the sign-in activity details.

  6. If the sign-in error code seems to be related to compliance, select the Conditional Access tab, and then look for policies that show a Failure result.

    Screenshot of the Conditional Access page of the sign-in activity details.

  7. Review the policy details.

    Screenshot of the Conditional Access policy details.

Resolution

To fix the issues that are caused by certain Conditional Access policies, use device filters to exclude the devices from these policies. Commonly used device properties are manufacturer and model. Commonly used operators are Contains, StartsWith, and In.

Note

  • Device filters apply to only device objects, not user accounts.
  • Some attributes, such as model and manufacturer, can be set only if devices are enrolled in Intune. If your devices aren't enrolled in Intune, use extension attributes.
  • If you don't have the required access to configure Conditional Access and Intune compliance policies, work with someone who has access. Check each policy setting for unsupported settings for Teams devices.

The following screenshot shows an example device filter.

Screenshot of an example device filter.

References