SOLVED

Teams Phone device refuse login with 1449/1.0.94.2021033002 firmware and ADFS

Steel Contributor

Has anybody been using ADFS with Teams noticed an issue with the last two firmware updates, when performing logins off-network?

 

I have a customer running Yealink MP56 phones and the latest firmware 122.15.0.36 running Teams App 1449/1.0.94.2021022403 or 1449/1.0.94.2021033002 can no longer login using either the device login code or typing user/pass. The login seems to get stuck in a loop between device registration and preparing the device.

 

I suspect this is partially to do with the ADFS configuration not using UPN for authentication, but this wasn't an issue prior to 1449/1.0.94.2021022403.

82 Replies

@BrandonJ365So that's the clearest it has been explained so far, thank you.... But...

 

My tenant, the one that is working, has CA requiring MFA for new devices, and every 30 days. I don't use ADFS/Duo/etc. Some of the customers that are seeing the issue do not have CA, but the common thread is that they are using ADFS/Duo/etc.  Basically the issue is occurring inverse to what you said should be happening. I should have to put the device policies in place in my tenant because I have CA MFAs, where as my customers shouldn't have to, unless they also have CA.

 

My understanding as well, the CA in Intune is the same as in Azure AD. CA applies across the board, and that CA is actually licensed under Azure AD Premium (P1/P2), not Intune.

 

Maybe I'm missing something?

@jangliss @BrandonJ365 @Kruthika Ponnusamy 

 

So can anyone actually say they have this working correctly and be confident with the system as im pulling my hair out with this now.

 

If a user signs in with a CAP license all is fine, Its up to the point someone signs in with higher license which includes intune. The device tries to register into endpoint but fails. At this point the phone is rendered a paper weight, No one either with or without a intune license can sign in. Either fails and loops round or signs in as "Unknown User" 

 

We only have one CA for MFA, Ive added the Enrolment restriction mentioned in the fix for this forum.

 

Ideally i want any user CAP or higher to be able to sign in with no issues and the device not to enrol into intune? Is this even possible now as the public MS information is very conflicting, had no issues up until this update.

 

Can @Kruthika Ponnusamy provide a list of everything thats needed to be in place? This would make life alot easier for all.

 

Thanks

Not sure why you would let a user sign in with a CAP license. We have created dedicated accounts for the Common Area Phones. To prevent the logon issue happening we are using AAD (cloud only) accounts for the CAP devices. This also takes away the need to enroll into Intune, at least in our case.

If you want the device to enroll into Intune you need to enable the Android Device Administrator option for personal or corporate devices. We are using the corporate device option here which does have then the requirement to register the phone's serial number as corporate identifier in Intune. We are using this scenario for normal User phone's and our users have the full Intune license.

Both setups work fine for us. But you are right that Microsoft needs to come up with clear documentation on this topic. We also still have an open ticket with them on this topic.

Regards,

We have a mix. Some phones will sign in as a CAP user and that will be it for the rest of the phones life. However in some of our areas these will get signed out and a normal user will sign in. Once this happens it renders the phone useless.
Hi, yes this is behavior I have seen before. When we re-use a CAP phone to be used as normal User phone we perform a factory reset first.
This should prevent the issue you are describing.
We have recently published tenant admin documentation. The questions you are asking are addressed in either of these 2 links.


https://docs.microsoft.com/en-us/microsoftteams/devices/phones-displays-deploy
https://docs.microsoft.com/en-us/microsoftteams/itadmin-readiness#teams-android-devices

At a high level:
1. if you have (intune license + device management policies setup for the account used to sign into the Teams phone), there are certain requirements you have to meet w.r.t endpoint management. This is covered in the links above.
2. If you dont have intune license, make sure that Intune CA policies are disabled for the account.
3. If you have CAP license, Intune license is an add-on. See #2 above.
4. Device management via Teams Admin Center does not provide endpoint management.
Interesting how discussion came to the different flow.

In my microsoft ticket engineer confirmed a bug regarding the behavior when device is freezing/logging-out etc. with new Teams agent.
And there should be released new firmware at least for Yealink devices.
Hope will be the same for Polycom.

Regarding CAP license I don't really get the point.
You don't need to use Intune enrollment for it.
CAP licensed account can normally login via "sign-in from another device" or if you setup some CA policy like IP based access you can access via user/password from the phone.
I don't see any real reason to add Intune license for such accounts.

And better to use the same way for Audio Conference devices (with Meeting room licenses) because Intune is buggy and devices sometimes freezes.
I'm not talking about incidents when Intune degradation caused almost 150+ phones in my company becomes unusable (user phones as well).

For user phones it's quite clear. You cannot login user without proper CA and Intune policy combination.

Anyway we will wait for a fix from microsoft.
Very interesting. I've been "screaming" about logout issues for a long time now and have yet to be given any indication that anyone else has had those issues, any code fixes, or anything! I have been told that we aren't the only ones with the new InTune enrolled devices NOT checking in daily like they should. I tend to believe this is related to the logout issues but can't say for sure.
Same for us. I still have an open ticket with MS and they keep asking me to reproduce the issue and send logs. But no confirmation the issue is on their Teams client. So it is good that finally someone within MS is acknowledging this.

For the User devices we do use the Intune enrollment with Device Administrator which prevents (at least for us) the logon loop issue. We have not seen any issues on the phones coming from Intune management so don't really understand what happened in your case.

For CAP's we are using AAD accounts bypassing the ADFS authentication and the need to add an Intune license. This works well for us. (So far)

But it is interesting to see if the new Teams client for Yealink devices will remediate the need to enroll devices into Intune. Because I agree that for the IP phones their is no real added value to have them enrolled. The TAC management is fine for us.

@BrandonJ365

 

It's funny you mention logout issues because that's come up with a couple of my customers recently too since this firmware updates.  I suspect it's tied to Intune as well.  An issue discussed on a Poly partner call yesterday was the same device registering multiple times under a single account, causing the account to run into the max device limitations, we've seen that with a few customers as well.

 

We've been testing the registration exception with a number of folks to see the impact.

So a new firmware version just showed up this morning for our C60s....v7.0.3.0517. I can't find much detail about what it should fix (or break). I did find this but doesn't say much:
https://support2.polycom.com/content/dam/polycom-support/products/voice/realpresence-trio/release-no...
What about companies who do not use Intune or do not want to use Intune for the IP phone management? Is there a solution that Microsoft can offer for these use cases?
I like to compare it to the Teams Meeting Room Devices where you have no need for Intune enrollment.

@jangliss 

 

What is this registration exception you mentioned?  I'm testing out six different Yealink phones and have hit the InTune device limit by logging on and off the same devices too many times.  I'm assuming if a user were to log in and out of their desk phone more than 15 times they will hit the limit?

Agreed. InTune seems to just foul things up. Even with devices added with a corporate identifier InTune feels the need to intervene and declare the device as new and count it towards a user's device limit that can't be raised beyond 15.

@janglissSuper surprised this hasn't been answered yet but the simplest resolution I've found for this is the following:

In Endpoint Manager, Navigate to Devices/Enroll Devices/Enrollment Restrictions/Device type restrictions, make sure the Android Enterprise and Android DA are set to allow but leave personally owned set to blocked (or whatever choice is desired here).

Then navigate to Devices/Enroll Devices/Corporate device identifiers, here you will want to add the serial number (not mac) of the devices being used.

Unfortunately, M$ has not provided a way for intune to differentiate IP phones from "personally owned" devices (or provide an actual administration console for them) however, shout out to Eric O for pointing me in this direction. It took a lot of hours to figure it out but by adding the corporate ID, these devices bypass any enrollment restrictions imposed on personal devices. Ultimately, i would still suggest the CA policies for the individual model of phone in AAD to reduce the number of "false positives" for compliance issues in intune but if your not using it to manage other devices, this isnt a necessary step.

 

IMO, the InTune team should figure out a way to mark all of the certified teams phones as corporate by default, should be pretty easy by manufacturer/model... im pretty sure no one has bought one of them for personal use.

 


@kylecombs wrote:
Then navigate to Devices/Enroll Devices/Corporate device identifiers, here you will want to add the serial number (not mac) of the devices being used.

This is a nice way of handling it, versus adding policies to block registrations for all android enterprise devices, which was Microsoft's recommendation.

This solution was already put in this thread by me. The point here is that using Intune is a workaround for the root issue. The logon loop when not using Intune is the real issue here. In fact when we started with the IP phones in 2020 there was no need to use Intune to connect the IP phones to the Teams Admin Center.
It was after an update of the Teams app that this issue started happening. I have been in a ticket about this issue with Microsoft since May of this year and there statements about the solution have changed a couple of times.
To me Microsoft does not want to admit they caused the issue in the first place. Our company want to manage the IP phones just like we manage other Teams Devices by just connecting them to the Teams Admin center. And not Intune, because that does not give an added value.

By they way this issue does not occur if you use AAD user accounts for the IP phones....
My ticket with Microsoft will remain open until the fix it.

Well in your case it at least works.
For us Intune doesn't help at all as device is not able to register in it.
It freezes or dropping on the registration stage (both poly and yealink).
And we've also noted that Android MTRs like Poly Studio or Logi Mini Bar are also affected as they''re most probably using the same kind of Teams Agent.
Using previous version of firmware solves the issue.
Disappointing situation.
We'll see what happens after promised fix by Microsoft.

Remove the login from the phones all together and the product usability will increase 100x. See this idea here and please vote!! https://feedbackportal.microsoft.com/feedback/idea/94d72cd2-af47-ec11-a819-6045bd7bfb94
Thanks for taking this up. I have voted.