Blog Post

Microsoft Teams Blog
3 MIN READ

Microsoft Teams Rooms December update

Christian Schacht's avatar
Christian Schacht
Icon for Microsoft rankMicrosoft
Dec 17, 2019
Earlier this year we released content camera support that enables you to share an analog whiteboard into your Teams Meetings to create a more inclusive experience for remote participants. We’re pleas...
Updated Jan 26, 2021
Version 4.0
microsoft teams
Microsoft Teams Rooms
Sohail_Tariq's avatar
Sohail_Tariq
Icon for Microsoft rankMicrosoft
Mar 18, 2020

Modern authentication support for resource account used by Microsoft Teams Rooms works using Resource owner password grant type in OAuth 2.0. This means there are no changes to the user experience from client side. You still configure resource account in same way as it used to work before. There will be an additional setting to enable using Modern authentication that you will need to turn on. With MA turned on, MTR application will uses ADAL to get resource tokens from AAD for Exchange and Skype for Business resources. This already works in this way with Teams service. The setting is introduced to give IT admins more control over testing their environment's configuration and having a fallback in case customer's environment is not correctly setup using hybrid modern authentication or server settings for Online services is not configured correctly. 

Since we use resource owner password grant type (more info: https://tools.ietf.org/html/rfc6749), there are no prompts at app level to provide pin, certificate or experience to send notification to Authenticator. This means there is no provision for MFA. MFA is also not supported on these devices as these are shared devices and there are nightly maintencce reboots or token expiry across multiple devices that is not manageable. 

Since the authenitcation is at the application level and not device level, you cannot apply conditional access policies for the device complaince, hybrid auth or MFA for resource account. You may however configure location based conditional access which will fail to login based on location. Although there is no user data stored on the device and we have custom lock down implemented on the device, if you wish to manage devices for compliance and hybrid AD joined, you can follow guidance published here: https://techcommunity.microsoft.com/t5/intune-customer-success/managing-teams-meeting-rooms-with-intune/ba-p/1069230 

RE: Password rotation: This feature is in MTR TAP for some time for Online only users but we haven't gotten enough feedback/ usage in TAP to meet criteria for rollout further as well as we have another initiative to get out of business of account and password management so that these policies can be applied at AAD level and enforced at device level without impact on service continuity.  

Hope this helps! 

Unearth ToddMethven Ilya Bukshteyn