Teams macOS app now supports Azure AD conditional access
Dear admins who manage Teams access for employees,
We have been constantly hearing feedback from you about support for conditional access on macOS clients. With the latest announcement from Azure Active Directory (Azure AD) and Intune on support for conditional access, the Teams team also decided to join the party!
We’re pleased to announce that our macOS app (beginning with v1.0.00.28451; it should always auto-upgrade to the latest version, of course) is fully integrated with the latest ADAL (Azure AD Authentication Library) and provides support for Azure AD conditional access policies on the macOS platform. With this milestone, Microsoft Teams finishes adding support for conditional access for all the supported platforms.
So, with this release you can do all of this:
Enroll and manage macOS devices using Intune
Ensure that macOS devices adhere to your organization’s compliance policies
Restrict access to Teams to only compliant macOS devices by using the Teams Cloud App in the conditional access policy-creation workflow
Before we go any further into conditional access, here’s a quick refresher from my previous blog post:
Teams also honors Azure AD conditional access policies set up for Exchange Online and SharePoint Online on its browser, desktop, and mobile apps. This is because Teams as an app depends heavily on accessing resources controlled by these services (such as Calendar through Exchange Online or Files/Recent documents using SharePoint Online). Conditional access policies provide IT admins secure control over access through Office or third-party client apps to any of the deployed services within Office 365.
Conditional access policies include controls for
Requiring multifactor authentication
Requiring compliant or domain-joined devices
Using IP addresses or user location to block access to a service
Targeting specific user cohorts within your company
Targeting specific Microsoft apps
Moving back into the world of macOS…
To create a targeted conditional access policy for Teams for the macOS platform, sign in to the Azure portal. Navigate to conditional access under the Azure AD service and create a policy. Please be sure to target the Microsoft Teams cloud app in the Select Cloud apps step and select the macOS device platform in the Device platforms option of the Conditions step.
Note: Conditional access policies set up for Exchange Online and Sharepoint Online will continue to affect Teams app at sign-in; that is not changing with this release. This is because a lot of key functionalty in Teams depends on Exchange Online and Sharepoint Online, and Teams does not want to create a potential attack surface where these services are exposed.
After you create these policies, macOS users targeted by the policy can access Microsoft Teams through the macOS app only if their devices meet the conditions you specified in the policy. For additional information, please see how to create conditional access policies in the Azure documentation.
Thanks for reading, and stay tuned for more updates on our Information Protection roadmap. Please try the feature, and feel free to post questions and/or feedback about this feature through the Teams UserVoice forum.