Forum Discussion
Teams Phone device refuse login with 1449/1.0.94.2021033002 firmware and ADFS
Has anybody been using ADFS with Teams noticed an issue with the last two firmware updates, when performing logins off-network?
I have a customer running Yealink MP56 phones and the latest firmware 122.15.0.36 running Teams App 1449/1.0.94.2021022403 or 1449/1.0.94.2021033002 can no longer login using either the device login code or typing user/pass. The login seems to get stuck in a loop between device registration and preparing the device.
I suspect this is partially to do with the ADFS configuration not using UPN for authentication, but this wasn't an issue prior to 1449/1.0.94.2021022403.
So I have a small update from Microsoft on this, and it's more of a temporary fix from what I understand.
- Login to https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/enrollmentRestrictions
- Create a new Device Type Restriction
- Give it a name
- On "Platform Settings" change "Android Enterprise (work profile)" to BLOCK
- Make sure "Android Device Administration" is set to ALLOW
- Click Next
- Click Next
- Under Assignments click Add Group and select the group of users that are signing into devices.
- Click through to finish the setup
Wait a few minutes, and reboot the phone, login again.
I'm still trying to find out how to resolve the issue correctly, but this seems to have helped most of the cases I've had issues with so far.
82 Replies
- I've experienced this issue with error AADSTS50199 in the sign-in logs in Azure AD. In the end it was related to the device login restrictions of 20 devices per user which is set as default.
https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/maximum-number-of-devices-joined-workplace - Remove the login from the phones all together and the product usability will increase 100x. See this idea here and please vote!! https://feedbackportal.microsoft.com/feedback/idea/94d72cd2-af47-ec11-a819-6045bd7bfb94
- Thanks for taking this up. I have voted.
janglissSuper surprised this hasn't been answered yet but the simplest resolution I've found for this is the following:
In Endpoint Manager, Navigate to Devices/Enroll Devices/Enrollment Restrictions/Device type restrictions, make sure the Android Enterprise and Android DA are set to allow but leave personally owned set to blocked (or whatever choice is desired here).
Then navigate to Devices/Enroll Devices/Corporate device identifiers, here you will want to add the serial number (not mac) of the devices being used.
Unfortunately, M$ has not provided a way for intune to differentiate IP phones from "personally owned" devices (or provide an actual administration console for them) however, shout out to Eric O for pointing me in this direction. It took a lot of hours to figure it out but by adding the corporate ID, these devices bypass any enrollment restrictions imposed on personal devices. Ultimately, i would still suggest the CA policies for the individual model of phone in AAD to reduce the number of "false positives" for compliance issues in intune but if your not using it to manage other devices, this isnt a necessary step.IMO, the InTune team should figure out a way to mark all of the certified teams phones as corporate by default, should be pretty easy by manufacturer/model... im pretty sure no one has bought one of them for personal use.
- This solution was already put in this thread by me. The point here is that using Intune is a workaround for the root issue. The logon loop when not using Intune is the real issue here. In fact when we started with the IP phones in 2020 there was no need to use Intune to connect the IP phones to the Teams Admin Center.
It was after an update of the Teams app that this issue started happening. I have been in a ticket about this issue with Microsoft since May of this year and there statements about the solution have changed a couple of times.
To me Microsoft does not want to admit they caused the issue in the first place. Our company want to manage the IP phones just like we manage other Teams Devices by just connecting them to the Teams Admin center. And not Intune, because that does not give an added value.
By they way this issue does not occur if you use AAD user accounts for the IP phones....
My ticket with Microsoft will remain open until the fix it.- Please share latest development or the final fix for this. Our customer phones are looping in singin page.
kylecombs wrote:
Then navigate to Devices/Enroll Devices/Corporate device identifiers, here you will want to add the serial number (not mac) of the devices being used.This is a nice way of handling it, versus adding policies to block registrations for all android enterprise devices, which was Microsoft's recommendation.
- Interesting how discussion came to the different flow.
In my microsoft ticket engineer confirmed a bug regarding the behavior when device is freezing/logging-out etc. with new Teams agent.
And there should be released new firmware at least for Yealink devices.
Hope will be the same for Polycom.
Regarding CAP license I don't really get the point.
You don't need to use Intune enrollment for it.
CAP licensed account can normally login via "sign-in from another device" or if you setup some CA policy like IP based access you can access via user/password from the phone.
I don't see any real reason to add Intune license for such accounts.
And better to use the same way for Audio Conference devices (with Meeting room licenses) because Intune is buggy and devices sometimes freezes.
I'm not talking about incidents when Intune degradation caused almost 150+ phones in my company becomes unusable (user phones as well).
For user phones it's quite clear. You cannot login user without proper CA and Intune policy combination.
Anyway we will wait for a fix from microsoft.- Same for us. I still have an open ticket with MS and they keep asking me to reproduce the issue and send logs. But no confirmation the issue is on their Teams client. So it is good that finally someone within MS is acknowledging this.
For the User devices we do use the Intune enrollment with Device Administrator which prevents (at least for us) the logon loop issue. We have not seen any issues on the phones coming from Intune management so don't really understand what happened in your case.
For CAP's we are using AAD accounts bypassing the ADFS authentication and the need to add an Intune license. This works well for us. (So far)
But it is interesting to see if the new Teams client for Yealink devices will remediate the need to enroll devices into Intune. Because I agree that for the IP phones their is no real added value to have them enrolled. The TAC management is fine for us. - Very interesting. I've been "screaming" about logout issues for a long time now and have yet to be given any indication that anyone else has had those issues, any code fixes, or anything! I have been told that we aren't the only ones with the new InTune enrolled devices NOT checking in daily like they should. I tend to believe this is related to the logout issues but can't say for sure.
It's funny you mention logout issues because that's come up with a couple of my customers recently too since this firmware updates. I suspect it's tied to Intune as well. An issue discussed on a Poly partner call yesterday was the same device registering multiple times under a single account, causing the account to run into the max device limitations, we've seen that with a few customers as well.
We've been testing the registration exception with a number of folks to see the impact.
- Just chiming in to hopefully get this more visibility. Our organization is considering Teams phone as our next PBX and in the midst of trialing phones I am running into the same issues.
- If you have some time to wait, I'd strongly suggest you consider waiting. This space is FAR from mature at this point. Aside from just a few personal and common area phones, we're only deploying Teams conference room phones right now and even ignoring this whole CA/InTune mess, it's still an ongoing rocky road.
We've had numerous issues along the way and continue to. Perhaps the worst issue of all at this point is the phones logging out for whatever reason and not logging themselves back in. I can't say for sure if the issue of logging out is on our end or Microsoft's but it was never an issue on Skype conference room phones. When (not if) something happens that causes the phones to log out, rather than logging themselves back in, they sit at a login screen. We've had several cases where a user will then walk in to a conference room, see the login screen, and log it in as their own personal phone in order to conduct a meeting. Then it will stay that way and be completely useless as a conference phone for anyone else until an administrator can go and log the phone back out and log it back in with the proper conference room account. And it's not that the phone "forgot" the conference room credentials when it logged out. If you catch it before a user does and simply reboot the phone, it will usually log itself back in to it's proper account. The catch is, you have no way of ever knowing, without visual inspection, that the phone has even logged itself out. According to Teams admin center, the phone is logged in despite visually seeing the login screen on the phone itself.
We've also seen situations where phones never show up in Teams admin center despite being fully functional and we even have at least one or two right now that show "offline" in Teams admin center despite the phone being online and 100% functional. Even rebooting the phone hasn't made it start showing online again.
Then we've had numerous phones that never get a dial-pad for making outbound calls. When you first provision an account for Teams enable enterprise voice, give it a line URI, dial plan and voice routing policy, it can take several hours before a dial-pad will eventually show up for that user. In some cases, it hasn't shown up after days/weeks despite numerous reboots. The "solution" for that one, after having to open a case, seems to be going back and disabling and re-enabling enterprise voice on the account. Then after a few hours, the dial-pad usually eventually shows up. Unfortunately, I have at least one phone that I've done this a couple of times over the past week and it STILL has no dial-pad. I've not opened another case just yet because I'm simply too frustrated right now to do so for another Teams phone issue. And God knows how many of the hundreds of conference room phones deployed globally are actually missing their dial-pad right now. I have no way of knowing until it gets reported. I'm sure there are plenty for us that simply haven't been reported yet since thanks to COVID, our conference rooms aren't being heavily utilized just yet. Perhaps that's the one silver lining for us.
And of all of those things aren't a big enough problem, there's the lack of ability to 100% remotely log a phone in. Recently, Microsoft added the "remote" provisioning feature. Apparently we have a different definition of "remote" though because for it to work, you have to give someone a code to punch in the screen of the phone before you as the administrator can then going into TAC and provide the credentials you'd like that phone to use. If there was truly an option for 100% remote login capability, then maybe the issue of phones logging out and not logging themselves back it would be a little less troublesome....but again that assumes you even know it's stuck at a login screen despite TAC showing is being logged in.
And if you're going to do conference room and common area phones, you'll want to search for Jeff Schertz's blog posts about IP Phone Policy as it's not terribly well documented elsewhere. The policy setting is something that currently must be done via PowerShell and set on the account the phone will be logged in to. Along with the "SignInMode" option, you'll also want to look into "hot desking" which is enabled by default with a 2 hour idle timeout. You'll want to either completely disable this feature for common area and conference room accounts or at least set the idle timeout to something more reasonable like 5-15min.
If you're a small shop and can logistically physically "babysit" the phones easily, then maybe you'll be fine. If you're a global shop, best of luck to you. It's been a bit of a nightmare thus far. I've almost gone to the point of reverting the phones to Skype profile mode and just logging them in that way in hopes of greater stability for the time being....and that actually does work. However, then I'm left with hundreds of phones that at some point will have to be all physically touched again (due to lack of 100% remote login capability) to eventually convert them back to Teams native mode. The one touch meeting join experience is definitely nice but we had that with phones in Skype mode before already so that's nothing new just for Teams.- KruthikaPonnusamy
Microsoft
BrandonJ365 Thank you for taking time to add your detailed comment. A few things:
1. For dialpad issues, please create a ticket and IM me the ticket number. I will help follow up with what is going on there. From our support tickets, I dont believe that this is a common occurrence. If it is frequent, this definitely warrants detailed investigations and we will look into it.
2. As long as you are on the latest firmware/app versions, if your phone signs out, you can setup alerts to notify of a device that has signed out. Microsoft Teams Monitoring and Alerting - Microsoft Teams | Microsoft Docs.
3. You are right that we require a verification code to be entered on the device for provisioning. This is ONLY for first time deployment of devices and is a security requirement. Once this is done, all authentication can be done remotely. So, if previously signed in devices sign out, you can remotely sign in from TAC.
- Today I've tested new FW from Yealink T55(T58A,T56A)-58.15.0.131.rom
Unfortunately the same behavior.
So still pushing MS to continue issue resolution.- I've had sporadic success with doing a factory reset after or before doing a firmware update. Not sure if the local cache is keeping some data that might be the cause or not. If I remember correctly, you can hold the * and # keys when you plug the power in to clear the Teams cache on Yealink devices.
I just did an MP56 and a T56a, both having been factory reset before (mostly because I was an idiot and signed into the wrong phone admin interface), and both successfully logged in after coming back up. I've got more testing to do (login to another tenant without adfs, etc) to see if I can break it again.So I have a small update from Microsoft on this, and it's more of a temporary fix from what I understand.
- Login to https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/enrollmentRestrictions
- Create a new Device Type Restriction
- Give it a name
- On "Platform Settings" change "Android Enterprise (work profile)" to BLOCK
- Make sure "Android Device Administration" is set to ALLOW
- Click Next
- Click Next
- Under Assignments click Add Group and select the group of users that are signing into devices.
- Click through to finish the setup
Wait a few minutes, and reboot the phone, login again.
I'm still trying to find out how to resolve the issue correctly, but this seems to have helped most of the cases I've had issues with so far.
- Hi guys,
We've faced the same issue with T55/T56/MP56/CP960 Yealink Phones.
And I'm pretty sure that it's related to the 1449/1.0.94.2021022403
The simpliest test with them >> upgrade Firmware to the latest one to get 1449/1.0.94.2021022403 on it and then downgrade FW to previous version.
Teams Version will remain the same after downgrade until you make factory reset.
So even with downgraded FW it causes the same issue.
Once you roll back to previous Teams Version by factory reset >> it will work ok.
DIdn't yet test CCX phones with the latest Teams Version but suspect the same issueWe have done the same procedure as described by Ruslan_Bakharev and came to the same conclusion. As soon as you upgrade the Teams app to 1449/1.0.94.2021022403 or 1449/1.0.94.2021033002 the logon loop issue occurs.
We have created a ticket with Microsoft and gave them all the usual stuff, logs, software version and even a video of the re-created issue. No useful reaction from MS yet.Additional test:
-Using a cloud only account the issue does not occur. (So it seems linked to hybrid setup)
-Using a hybrid account and enroll the device into Intune, the issue does not occur. (Not clear why)
- Well I've faced same issue with Intune managed device.
So for me both test phone account (without conditional access) and my personal one with Intune provisioned looked quite similar.
Overall I've noted in my env 3 different scenarios:
1) Device freezes during connection/registration stage
2) Device drops you to the main screen after some period of time during registration stage
3) Device drops you to the main screen after you provision it with account. It works just for couple of minutes and then nothing.
At the same time looking into Azure logs you don't see any blockage.
And even strange in case of scenario 3 Azure removes device completely from AAD which is quite strange.
I've opened a ticket with MS just recently as well providing logs and video showing the issue 🙂
Hope it will help at least to investigate it faster.
Same like BrandonJ365 I had to defer the phones auto update by 90 days in order to avoid impact on sites.
- Hi, did you find a fix for this? we have the same issue.
- This ended up being an issue with a DNS server for my phone, but Microsoft and Yealink did not find it.
- Hi All,
An update on our side. We are using Intune and when we allowed the device to be enrolled when the user signs in the issue does not happen.
Not sure why but it seems stable.- Jeroen, can you give additional details on what you had to do to fix it?
We use ADFS with synced accounts to AAD. When I update a phone to latest version, seems ok at first but if user logs out of that phone, they are unable to log back in. Almost like a log in loop. It prompts user for mfa and it almost looks like it is going to log in but then it goes back to original start page where it displays the login code. This happens on or off internal network. I did create a test@company.onmicrosoft.com and it seems to work fine.
Rolling back to older firmware like 6.0.X on Poly CCX phones, user is able to log in again.
- Hi All,
We are experiencing the exact same issue described here using Yealink T55A IP phones off network. We have opened a case with our Teams telecom provider. Will update here if we receive any news.
