Forum Discussion
Teams Phone device refuse login with 1449/1.0.94.2021033002 firmware and ADFS
So I have a small update from Microsoft on this, and it's more of a temporary fix from what I understand.
- Login to https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/enrollmentRestrictions
- Create a new Device Type Restriction
- Give it a name
- On "Platform Settings" change "Android Enterprise (work profile)" to BLOCK
- Make sure "Android Device Administration" is set to ALLOW
- Click Next
- Click Next
- Under Assignments click Add Group and select the group of users that are signing into devices.
- Click through to finish the setup
Wait a few minutes, and reboot the phone, login again.
I'm still trying to find out how to resolve the issue correctly, but this seems to have helped most of the cases I've had issues with so far.
Hey KruthikaPonnusamy could you chime in on this? Support is literally telling folks to turn off security features (not a good look!), and the "fix" is not documented as required anywhere and has been hit/miss for folks in this thread.
I can still roll a phone back to pre-2021 firmware and login works fine.
MicrosoftThis explains that if you need CA policies, you need Intune enrollment. For intune enrollment, you need Intune license.
- Agreed. InTune seems to just foul things up. Even with devices added with a corporate identifier InTune feels the need to intervene and declare the device as new and count it towards a user's device limit that can't be raised beyond 15.
- What about companies who do not use Intune or do not want to use Intune for the IP phone management? Is there a solution that Microsoft can offer for these use cases?
I like to compare it to the Teams Meeting Room Devices where you have no need for Intune enrollment. - KruthikaPonnusamyWe have recently published tenant admin documentation. The questions you are asking are addressed in either of these 2 links.
https://docs.microsoft.com/en-us/microsoftteams/devices/phones-displays-deploy
https://docs.microsoft.com/en-us/microsoftteams/itadmin-readiness#teams-android-devices
At a high level:
1. if you have (intune license + device management policies setup for the account used to sign into the Teams phone), there are certain requirements you have to meet w.r.t endpoint management. This is covered in the links above.
2. If you dont have intune license, make sure that Intune CA policies are disabled for the account.
3. If you have CAP license, Intune license is an add-on. See #2 above.
4. Device management via Teams Admin Center does not provide endpoint management. - Hi, yes this is behavior I have seen before. When we re-use a CAP phone to be used as normal User phone we perform a factory reset first.
This should prevent the issue you are describing. - We have a mix. Some phones will sign in as a CAP user and that will be it for the rest of the phones life. However in some of our areas these will get signed out and a normal user will sign in. Once this happens it renders the phone useless.
Not sure why you would let a user sign in with a CAP license. We have created dedicated accounts for the Common Area Phones. To prevent the logon issue happening we are using AAD (cloud only) accounts for the CAP devices. This also takes away the need to enroll into Intune, at least in our case.
If you want the device to enroll into Intune you need to enable the Android Device Administrator option for personal or corporate devices. We are using the corporate device option here which does have then the requirement to register the phone's serial number as corporate identifier in Intune. We are using this scenario for normal User phone's and our users have the full Intune license.
Both setups work fine for us. But you are right that Microsoft needs to come up with clear documentation on this topic. We also still have an open ticket with them on this topic.
Regards,jangliss BrandonJ365 KruthikaPonnusamy
So can anyone actually say they have this working correctly and be confident with the system as im pulling my hair out with this now.
If a user signs in with a CAP license all is fine, Its up to the point someone signs in with higher license which includes intune. The device tries to register into endpoint but fails. At this point the phone is rendered a paper weight, No one either with or without a intune license can sign in. Either fails and loops round or signs in as "Unknown User"
We only have one CA for MFA, Ive added the Enrolment restriction mentioned in the fix for this forum.
Ideally i want any user CAP or higher to be able to sign in with no issues and the device not to enrol into intune? Is this even possible now as the public MS information is very conflicting, had no issues up until this update.
Can KruthikaPonnusamy provide a list of everything thats needed to be in place? This would make life alot easier for all.
Thanks
BrandonJ365So that's the clearest it has been explained so far, thank you.... But...
My tenant, the one that is working, has CA requiring MFA for new devices, and every 30 days. I don't use ADFS/Duo/etc. Some of the customers that are seeing the issue do not have CA, but the common thread is that they are using ADFS/Duo/etc. Basically the issue is occurring inverse to what you said should be happening. I should have to put the device policies in place in my tenant because I have CA MFAs, where as my customers shouldn't have to, unless they also have CA.
My understanding as well, the CA in Intune is the same as in Azure AD. CA applies across the board, and that CA is actually licensed under Azure AD Premium (P1/P2), not Intune.
Maybe I'm missing something?
- jangliss The key to all of the problems seems to center around if your Teams tenant is managed/secured by conditional access or not. Perhaps you aren't running conditional access but your customer is?
Basically, if you are running CA, something besides just a username and password should be required to gain access to the protected resource. For example, you'd have to also be on a managed device, or coming from a managed network, or authenticated via MFA, etc. In the case of these phones, they are saying they must be InTune managed to be admitted by conditional access. As it turns out, there was a bug (security hole) for let's call it 15 months that was allowing these phones to authenticate to Teams despite never successfully "passing the conditional access test" of InTune. Microsoft found and fixed that bug so now either you must license all accounts that will login to Teams phones and allow enrollment into InTune or disable conditional access for your Teams tenant.
As far as what InTune is doing to manage these devices....basically nothing. In fact, the phones really don't seem to play smoothly with InTune anyway. We have nearly 300 phones online now as seen by TAC. Somehow only just over 200 are showing to be enrolled in InTune and only just over half of them show as "compliant" despite them being identical devices with the same single policy applied to all. And most don't seem to check-in on the regular basis that an InTune enrolled device should. KruthikaPonnusamyThis is confusing, because there is nothing that states you must enroll a device into Intune, but everything in the support conversation has been that you must configure policies to enroll in Intune. In addition, this note that contradicts support and other items in this thread.
- If tenant admins want common area phones to be enrolled into Intune, they need to add an Intune license to the account and follow the steps for Intune enrollment.
- If the user account used to sign into a Teams device isn't licensed for Intune, Intune compliance policies and enrollment restrictions need to be disabled for the account.
So can we get a clarification:
- Why is Intune now required to manage devices?
- Why is it not required for CAP devices?
- What if somebody isn't licensed for Intune?
- Note above says you have to disable compliance/enrollment in Intune options for the user, what if you're managing 5k users?
- What is Intune doing for managing the devices that TAC isn't doing?
- Where is the documentation that states Intune must be used, when it wasn't a hard requirement before?
- This might be me, but I've seen this issue impact Tenants with external authentication (ADFS/Duo/etc) versus those using Azure/Office365. I can sign in my work account into a device with no Intune settings defined, first time every time. Signing into a customer Tenant that uses ADFS fails without those Intune settings. Why?
Thanks
