Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
What is Conditional Access?
Conditional Access is a Microsoft Entra feature that allows organizations to configure policies to grant or block access to corporate resources. These policies use if-then statements based on Assignments and Access controls. Enforcing incompatible Conditional Access policies on a Surface Hub device account can lead to the following issues:
- Unable to add the device account to the Surface Hub
- Welcome Screen calendar fails to sync with Exchange
- Teams Rooms client not signing in
Follow the guidance on this page to understand how the Surface Hub device account interacts with Conditional Access and troubleshoot issues effectively.
Device account and Conditional Access policies
The Surface Hub device account is used to receive meeting invitations and join Teams meetings. When creating Conditional Access policies, consider the following key assignments and access controls to prevent the device account from being blocked.
Key assignments for Conditional Access
Cloud apps
The Surface Hub device account uses the following cloud apps when signing in. Make sure your Conditional Access policies allow sign-in to these resources to prevent interruptions:
- Office 365
- Office 365 Exchange Online
- Office 365 SharePoint Online (this includes OneDrive for Business)
- Graph Explorer
- Microsoft Teams
Conditions
The Surface Hub is included in the following conditions:
- Device platforms - Windows
- Client apps - Mobile apps and desktop
Access controls incompatible with Surface Hub
The Surface Hub device account isn't compatible with Conditional Access policies that require the following Grant and Session Access controls. All Surface Hub device accounts must be excluded from such policies.
Grant
- Require multifactor authentication
- Require authentication strength (Preview)
- Require device to be marked as compliant
- Require Microsoft Entra hybrid joined device
- Require approved client app
- Require app protection policy
- Require password change
Session
- Use app-enforced restrictions
- Use Conditional Access App Control
For more details on Assignments and Access controls, see the building a Conditional Access policy article.
Troubleshooting sign-in issues with Conditional Access policies
If your Surface Hub device account encounters sign-in errors, use the following tools and methods to diagnose and resolve Conditional Access policy conflicts.
- Azure sign-in logs: Review the Azure sign-in logs to identify failures or interruptions. The details often reveal if a Conditional Access policy is blocking sign-in.
- What If tool: Use the "What If" tool to determine which Conditional Access policies apply to the device account. Select the Surface Hub device account as the user and leave the default "Any cloud app" selected. Learn more at Troubleshooting Conditional Access using the What If tool.
Review Conditional Access policies
If the Azure sign-in logs and "What If" tool don't reveal any Conditional Access policies affecting the account, manually review every Conditional Access policy to ensure the Surface Hub device account isn't impacted.
Step 1: Locate Conditional Access policies in Microsoft Intune
Navigate to your tenant's Conditional Access policies within Microsoft Intune. Ensure the user has the correct role assigned.
- Sign into Microsoft Intune admin center
- Go to Devices > Conditional Access
Step 2: Review policy assignments and access controls
Select each Conditional Access policy and review its Assignments and Access Controls. Use the requirements listed above to determine if the policy is compatible with the Surface Hub. If not, the device account needs to be excluded from such policies.
Note
Policies in On or Report Only states can affect the Surface Hub device account.
Exclude device account from unsupported Conditional Access policies
Due to the limited number of policies the Surface Hub device account supports, it often needs to be excluded from Conditional Access policies to allow sign-in. Follow these steps:
- In the Conditional Access policy, navigate to Assignments, then select Users > Exclude.
- Select Users and groups.
- Choose each Surface Hub device account or group of device accounts.
- Click Save at the bottom of the screen.
Important
Ensure you select the Surface Hub device account user object, not the Surface Hub device object.
Watch this video for step-by-step guidance on excluding user accounts from Conditional Access policies.
