[UPDATE 29/09] We have identified that the Teams desktop client puts a Teams entry in the user-agent string and use a specific Chrome version that is different to the Chrome the users have so we are using this to block traffic to teams.microsoft.com and seems to working so far. Not all traffic has the user-agent though i.e. video. Initially we blocked teams.microsoft.com except user-agent Teams* but this blocked video. Does anyone have detail on Teams video traffic so we can investigate further options?
-------------------------------------------------------------------------------------------------
Is there a way to identify traffic from Teams web client, distinct from Teams desktop client so we can use proxy config to block Teams web client whilst allowing Teams desktop client?
The reasons for this specific ask and consideration of other options are below:
we are deploying Microsoft 365 in an environment for which a new tenant (tenant A) has been set up.
The environment has on-prem Win 10 devices managed via SCCM and the devices currently don't have Teams or Outlook desktop clients installed.
The environment is locked down with access to teams.microsoft.com currently blocked using proxy config to prevent users getting to Teams via the browser (and users don't even have the desktop client, which this would also block).
Users currently have access to email on the parent company's tenant (tenant B), using their separate parent company creds signing into outlook for the web in the browser. This is the extent of their use of M365 cloud services - Outlook on the Web to parent company tenant.
As part of rolling out Teams, the Teams client is being deployed and the proxy block of teams.microsoft.com is being removed.
RestrictTeamsSignInToAccountsFromTenantList registry setting is implemented so users can only sign-in to tenant A from Teams desktop client.
sign-in to tenant B Teams or indeed any tenant is possible via the web client however and there is a requirement to block this so the users can't use the Teams web client.
We can't use tenant restrictions i.e. Restrict-Access-To-Tenants header in proxy to tenant A (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions) as the users need to be able to get to parent company tenant B for email
We can't configure tenant B e.g. Conditional access to block Teams for a group as the global team who manage tenant B don't engage for these type of point solutions - to keep their tenant maintainable.
Due to the above constraints we think identifying some specific urls in proxy might be our best route but open to other suggestions on how to to block Teams web client whilst allowing Teams desktop client.
