Weird Teams Conditional Access problem

Iron Contributor

Hi all,

I have a customer who has a restriction that only certain people are allowed access to Teams (and dependent 365 services) outside of the office locations on mobile devices.

This would normally be a straightforward rule, exclude the 'Office 365' group from a block policy for the group, create an affirmative policy requiring MFA for the 'Office 365' group of apps.

 

For some reason Teams isn't matching in the policy set for either the exclusion or the target policy.

 

In the conditional access logs it references an application called "Microsoft Teams Services" as the sign-in, this isnt something that can be selected for a Conditional Access policy to apply to. The CA logs also mention that Teams needed access to "M365 Tenant Feedback" although I suspect thats a red herring.

 

Has anyone else come across issues with excluding Teams (as part of 'Office 365' group or indepdently) from an 'all applications' block policy? or in targeting Teams as in a policy to 'require MFA' or other session control?

 

The user is accessing from an iOS device using the teams app.

4 Replies

@Peter Holland We having same issue in our tenant. Its started couple of weeks ago, only on iOS device. We are using Office 365 apps exclusion in one of our BYOD CA Rule and we also noticing M365 Tenant Feedback in the logs when the connection is blocked but it shouldn't because Teams application should be excluded from the CA rule. 

I've asked one of our engineers to raise a ticket with Microsoft on this.

@Peter Holland Hey mate, did you get any response from Microsoft or a workaround? We're having the same issue but Microsoft is just ignoring our tickets.

looks like its working now for our customer, it seems a teams iOS client update has potentially resolved the issue and its no longer calling "M365 Tenant Feedback" during sign-in.
It is now blocking it from accessing Teams shifts, which thankfully they aren't using as support say theres no way to fix that