Forum Discussion
Disable images in Teams or force to act like files.
- So I got an engineer call finally, they are swamped right now. In case anyone else need to block teams
Conditional Access Policy, However you have to block more than just teams, You have to block all services in the chain for Teams to work
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/service-dependencies
Then under access controls check to completely block everyone. The trick to getting what you want is under Conditions and filter for devices. Exclude the devices you want. You can get as details as you want, Hybrid joined devices, Azure AD joined devices only Azure AD Registered devices, Compliant devices. Device Ownership set in Intune, To a group or heck right down to a list of device names if you want. This will exclude these devices from the compliance policy.
This works better than grand access on a few things.
I don't think anything has changed here. There have always been two ways to include an image in a chat message: paste it in, or upload it as an attachment. If you paste it in, it forms part of the message itself and end users can view it whether or not they have OneDrive/SharePoint access.
Regarding the issue with blocking access to Teams in the browser, which browser are you using? If it is Google Chrome, I believe you need to deploy the Windows Accounts extension: Windows Accounts - Chrome Web Store (google.com)
Edit: I just remembered that as of Chrome version 111, you no longer need the extension as this functionality is built-in; you just need to enable the "Automatic sign-in to Microsoft cloud identity providers" policy: Chrome Enterprise policy list and management | Documentation
- Thanks, will look into the Chrome settings, I did try it with Edge and Chrome, The only 2 browsers we allow.
As far as teams change, yes this is something new. We are in the GCCH environment we get updates much later. We even have a different Teams Client installer. We can not use commercial teams or Teams that comes installed on Windows. However, you are correct I can copy and paste or upload mages, However, when you tried to copied and pastes Images which I know as much as 2 weeks ago, if the images were not from your one drive you got an error message that the image was outside of your boundary. You needed to save the image to one drive before it could be put into teams. This was standard procedure. And yes, It was extra work however this allowed the labeling and file security on images the same as files. When you get send on teams with a copied and pasted image one drive would inform you that you shared the file abcd.jpg with Username of person you sent it to. So Images were treated as files with the same security. I know I did this to my boss 2 weeks ago, Found a meme on internet forgot out of habit copied and pasted and got the error, I has to actually save the meme to my one drive then attach it in teams. This is the functionality we had. Everythign was shared like that. And when a user left the company and the one drive was purged so were the images.JeffsRealm Interesting, I didn't realize that Teams in the GCCH environment handled this differently. Thanks for the correction.
If Conditional Access is not working with Microsoft Edge, there must be something else going on, since Edge natively supports it: Microsoft Edge and Conditional Access | Microsoft Learn. (Perhaps this is another GCCH limitation.)
- So I got an engineer call finally, they are swamped right now. In case anyone else need to block teams
Conditional Access Policy, However you have to block more than just teams, You have to block all services in the chain for Teams to work
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/service-dependencies
Then under access controls check to completely block everyone. The trick to getting what you want is under Conditions and filter for devices. Exclude the devices you want. You can get as details as you want, Hybrid joined devices, Azure AD joined devices only Azure AD Registered devices, Compliant devices. Device Ownership set in Intune, To a group or heck right down to a list of device names if you want. This will exclude these devices from the compliance policy.
This works better than grand access on a few things.