Forum Discussion

Jake Jacobs's avatar
Jake Jacobs
Copper Contributor
Aug 05, 2020
Solved

Common Area Phones and MFA

Doing a project that has 77 CAPs. Need to be able to sign them in in the most efficient way. I tested one manually and the account has MFA required (Note, I am not the AD account control person).  ...
CAP
Common Area Phone
How-to
microsoft teams
  • ChrisHoardMVP's avatar
    ChrisHoardMVP
    Aug 05, 2020
    Hi Jake Jacobs

    I would recommend this article by Jeff Schwartz

    http://blog.schertz.name/2020/04/common-area-phones-in-microsoft-teams/

    It's probably the most comprehensive guide that there is out there in terms of a play by play for setting up CAP. CAP does support MFA, however you would make the decision about applying MFA to CAP and I guess this would largely depend on the setup of the user accounts. Personally I would go ahead with it then log in to https://login.microsoft.com and ensure all the user mailboxes associated with CAP are tied to a mobile device which has authenticator which should make that easy. As stated in the article, Intune isn't recommended as it adds little value in this scenario, and there is no remote management as you have to actually be at the device to log in so it will be a case of signing in one by one. The good thing about this article is that its very methodical in terms that the CAP policies are set up from the start via Powershell and the TAC, the users set up, licences and numbers applied, then policies applied via Powershell so a lot of this can be done en-masse via Powershell.

    Hope that helps and answers your question

    Best, Chris
LinusCansby's avatar
LinusCansby
MVP
Aug 05, 2020

Jake Jacobs 

Hi,

The most common for common area phones is that you with conditional access set so that the IP network you have the phones connected to does not require MFA. So when a account that you use for one these phones signs in from your network there will be no MFA request, but if someone steals the phone or get the account information and tries to sign in from another network they will get the MFA challenge (or actually not get it).

 

Running around and signing in Common Area Phones with MFA is not an option, some companies have requirement to sign in with MFA everyday. Not a fun task even for an intern. Also if the phone is in an common area not signed in so that you can't use it for emergency calling can be illegal in some countries.

ChrisHoardMVP's avatar
ChrisHoardMVP
MVP
Aug 05, 2020
Awesome thanks LinusCansby that was the point I was making about conditional access above. I had that a few months back the partner I was working with did exactly this 😄

Best, Chris

Resources