MFA/Azure AD Joined - Issues with Teams?

%3CLINGO-SUB%20id%3D%22lingo-sub-700011%22%20slang%3D%22en-US%22%3EMFA%2FAzure%20AD%20Joined%20-%20Issues%20with%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-700011%22%20slang%3D%22en-US%22%3E%3CP%3EUsing%20my%20account%20as%20an%20example%2C%20I%20have%20a%20Windows%2010%20desktop%20and%20laptop.%20The%20desktop%20is%20Azure%20AD%20registered%20and%20the%20laptop%20is%20Azure%20AD%20joined.%20I%20have%20MFA%20enabled%20for%20my%20account.%20When%20I%20sign%20into%20Microsoft%20Teams%20or%20any%20other%20Microsoft%20application%20(SfB%20%2C%20Outlook%20etc)%20on%20my%20Desktop%2C%20I%20don%E2%80%99t%20have%20to%20verify%20my%20login%20via%20MFA%20until%20the%2090-day%20token%20expires.%20When%20I%20sign%20into%20the%20same%20applications%20on%20my%20laptop%20I%20experience%20the%20same%20except%20for%20Microsoft%20Teams.%20Each%20time%20I%20log%20into%20Microsoft%20Teams%20I%20am%20prompted%20to%20Approve%20the%20sign-request.%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20why%20Microsoft%20Teams%20behaves%20differently%20from%20other%20Microsoft%20applications%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-700011%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-700069%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%2FAzure%20AD%20Joined%20-%20Issues%20with%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-700069%22%20slang%3D%22en-US%22%3ESeems%20to%20be%20some%20issue%20with%20modern%20authentication%20on%20that%20machine%3CBR%20%2F%3E%3CBR%20%2F%3E%2C%20I%20mention%20you%20again%20here%20to%20keep%20you%20busy%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-700070%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%2FAzure%20AD%20Joined%20-%20Issues%20with%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-700070%22%20slang%3D%22en-US%22%3EMy%20first%20thought%20but%20it's%20supposed%20to%20default%20to%20it%20now%20I%20think%2C%20or%20maybe%20it%20hasn't%20yet.%20Are%20you%20signing%20out%20on%20purpose%3F%20Cause%20when%20you%20sign%20out%20of%20Teams%20it%20switches%20it%20over%20to%20non%20modern%20auth%20ditches%20token%20etc.%20which%20is%20probably%20why%20it%20is%20prompting%20on%20a%20non%20Azure%20Joined%20machine%20since%20your%20machine%20can't%20be%202nd%20factor%20like%20the%20Joined%20machine%20can.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-714096%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%2FAzure%20AD%20Joined%20-%20Issues%20with%20Teams%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-714096%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20I%20am%20signing%20out%2C%20which%20I%20assume%20must%20be%20ditching%20the%20token%20as%20you%20suggest.%26nbsp%3B%20However%2C%20I%20only%20experience%20this%20behaviour%20on%20the%20Azure%20joined%20device%3F%26nbsp%3B%20My%20AD%20registered%20device%20never%20appears%20to%20ditch%20the%20token%20and%20I%20am%20never%20prompted%20if%20I%20sign%20out%2C%20which%20is%20odd%2C%20I%20would%20expect%20it%20to%20be%20the%20other%20way%20round%3F%26nbsp%3B%20My%20user%20documentation%20will%20need%20updating%20to%20reflect%20this%2C%20we%20are%20in%20the%20process%20of%20rolling%20out%20teams%20to%20our%20users.%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Using my account as an example, I have a Windows 10 desktop and laptop. The desktop is Azure AD registered and the laptop is Azure AD joined. I have MFA enabled for my account. When I sign into Microsoft Teams or any other Microsoft application (SfB , Outlook etc) on my Desktop, I don’t have to verify my login via MFA until the 90-day token expires. When I sign into the same applications on my laptop I experience the same except for Microsoft Teams. Each time I log into Microsoft Teams I am prompted to Approve the sign-request.

Does anyone know why Microsoft Teams behaves differently from other Microsoft applications?

3 Replies
Highlighted
Seems to be some issue with modern authentication on that machine

@Chris Webb , I mention you again here to keep you busy :)
Highlighted
My first thought but it's supposed to default to it now I think, or maybe it hasn't yet. Are you signing out on purpose? Cause when you sign out of Teams it switches it over to non modern auth ditches token etc. which is probably why it is prompting on a non Azure Joined machine since your machine can't be 2nd factor like the Joined machine can.
Highlighted

Yes, I am signing out, which I assume must be ditching the token as you suggest.  However, I only experience this behaviour on the Azure joined device?  My AD registered device never appears to ditch the token and I am never prompted if I sign out, which is odd, I would expect it to be the other way round?  My user documentation will need updating to reflect this, we are in the process of rolling out teams to our users.  @Chris Webb