MCAS [Activity Policy] Log on from an outdated browser - current Teams client triggers alert

Copper Contributor

TLDR: Microsoft Teams client triggers 'Log on from an outdated browser' alert policy :sad:

 

After enabling the MCAS - Activity Policy - 'Log on from an outdated browser' our current up-to-date desktop Teams client triggers the alert. I spent quite some time with the user discussing their configuration and thankfully a colleague correlated the 'Sign-in Logs' from the AAD blade and we could see the below 'User Agent's from the same workstation:

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.4.00.22472 Chrome/85.0.4183.121 Electron/10.4.3 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36

The latest production release of Teams is 'Teams/1.4.00.22472' and it is evidently running Chrome/85.0.4183.121 (Chromium) in the back end which is flagged in the 'User agent tags' of the alert as 'Outdated browser'.

 

The default template should exempt this use case.

 

Knowing the above I've attempted to add an additional filter 'User Agent String' and 'does not contain' 'Teams' - this has no affect on the results leaving me with the suspicion that the full user agent string as above is not passed through. If this is the case then why is it an available filter?

 

It would be great to see this addressed or advice on what I've missed to get this working.

 

Thanks

2 Replies
It looks like you may have found a tag that needs updated. Would you please be so kind as to open a support case, so that we can track it to resolution for you and the rest of us here, too. Thanks. 😉
I'm getting a lot of alerts for this scenario. I wrote a KQL query in sentinel which correlates the incident entities with Azure AD sign in logs and return incidents which contains "teams" in user-agent.(I think with sentinel playbooks, we can close this automatically). Is there any solution for this in MCAS itself?