Conditional Access control MFA and MS Teams

%3CLINGO-SUB%20id%3D%22lingo-sub-1432767%22%20slang%3D%22en-US%22%3EConditional%20Access%20control%20MFA%20and%20MS%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1432767%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20control%20our%20MFA%20for%20users%20via%20Control%20Access.%20%26nbsp%3BOne%20policy%20is%20for%20External%20Device%20and%20Non-Complaint%20Device%20(In%20the%20conditions%2C%20Hybrid%20Join%20and%20Complaint%20are%20excluded).%20%26nbsp%3BThis%20so%20if%20anyone%20(even%20a%20Account%20on%20tenant)%20uses%20an%20'unknown'%20device%20they%20will%20be%20prompted%20for%20MFA%2C%20which%20has%20s%20sign%20frequency%20of%2012%20hours%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20(not%20really%20a%20problem%20in%20my%20eyes)%2C%20the%20users%20have%20asked%20for%20MFA%20only%20to%20appear%20during%20setup%20of%20the%20Device%20for%20Outlook%20and%20Teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20excluded%20outlook%20for%20the%20first%20policy%20and%20create%20the%20same%20policy%20to%20only%20include%20Outlook%20and%20remove%20the%20sign%20frequency%20of%2012%20hours%2C%20%26nbsp%3B%20This%20worked%20for%20the%20Outlook%2C%20got%20the%20MFA%20during%20adding%20the%20account%20to%20outlook.%3C%2FP%3E%3CP%3EThen%20I%20added%20teams%20to%20the%20second%20policy%20and%20excluded%20it%20from%20the%20first.%20%26nbsp%3BI%20setup%20teams%20got%20the%20MFA%20prompt%20as%20expected%2C%20but%20the%20next%20I%20got%20the%20prompt%20for%20MFA%20for%20teams%20the%20next%20day%2C%20but%20not%20outlook%2C%20%26nbsp%3BI%20did%20the%20same%20with%20Skype%20for%20Business%20(as%20I%20have%20with%20outlook%20and%20teams)%20included%20and%20excluded%20for%20the%20policy%2C%20the%20following%20days%20still%20got%20the%20MFA%20prompt%20for%20teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20teams%20uses%20different%20services%20within%20MS365%2C%20%26nbsp%3Bwould%20I%20also%20need%20to%20exclude%20SharePoint%3F%20%26nbsp%3Bsome%20I%20really%20don't%20what%20to%20do.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1432767%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1433933%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20control%20MFA%20and%20MS%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1433933%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F641223%22%20target%3D%22_blank%22%3E%40Barryking75%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECA%20is%20in%20a%20bit%20of%20a%20transitional%20phase%20with%20M365%20apps%20I%20feel.%20%26nbsp%3BThere%20is%20now%20the%20Office%20365%20(Preview)%20and%20also%20Teams%20available%2C%20but%20the%20issue%20you%20may%20find%20is%20that%20you%20have%20SharePoint%20Online%20and%20Exchange%20Online%20selected%20in%20a%20CA%20policy%2C%20then%20as%20a%20consequence%20you%20will%20also%20be%20affecting%20Teams%20as%20shown%20below.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-06-02%20at%2017.51.55.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195950i9A5E11623D402B36%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Screenshot%202020-06-02%20at%2017.51.55.png%22%20alt%3D%22Screenshot%202020-06-02%20at%2017.51.55.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMay%20be%20worth%20opening%20a%20ticket%20to%20see%20what%20they%20recommend%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1435363%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20control%20MFA%20and%20MS%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1435363%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20I%20thought%20as%20much%2C%20thought%20I%20check%20first%20thou%2C%20to%20see%20if%20anyone%20knew%20different%20if%20that%20makes%20sense%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Hi,

 

We control our MFA for users via Control Access.  One policy is for External Device and Non-Complaint Device (In the conditions, Hybrid Join and Complaint are excluded).  This so if anyone (even a Account on tenant) uses an 'unknown' device they will be prompted for MFA, which has s sign frequency of 12 hours

 

The problem (not really a problem in my eyes), the users have asked for MFA only to appear during setup of the Device for Outlook and Teams.

 

I excluded outlook for the first policy and create the same policy to only include Outlook and remove the sign frequency of 12 hours,   This worked for the Outlook, got the MFA during adding the account to outlook.

Then I added teams to the second policy and excluded it from the first.  I setup teams got the MFA prompt as expected, but the next I got the prompt for MFA for teams the next day, but not outlook,  I did the same with Skype for Business (as I have with outlook and teams) included and excluded for the policy, the following days still got the MFA prompt for teams.

 

I know teams uses different services within MS365,  would I also need to exclude SharePoint?  some I really don't what to do.

2 Replies
Highlighted

@Deleted 

 

CA is in a bit of a transitional phase with M365 apps I feel.  There is now the Office 365 (Preview) and also Teams available, but the issue you may find is that you have SharePoint Online and Exchange Online selected in a CA policy, then as a consequence you will also be affecting Teams as shown below.

 

Screenshot 2020-06-02 at 17.51.55.png

 

May be worth opening a ticket to see what they recommend here.

Highlighted

Thanks, I thought as much, thought I check first thou, to see if anyone knew different if that makes sense