Apr 13 2021 08:42 AM
Has anybody been using ADFS with Teams noticed an issue with the last two firmware updates, when performing logins off-network?
I have a customer running Yealink MP56 phones and the latest firmware 122.15.0.36 running Teams App 1449/1.0.94.2021022403 or 1449/1.0.94.2021033002 can no longer login using either the device login code or typing user/pass. The login seems to get stuck in a loop between device registration and preparing the device.
I suspect this is partially to do with the ADFS configuration not using UPN for authentication, but this wasn't an issue prior to 1449/1.0.94.2021022403.
Jul 20 2021 11:39 AM
@BrandonJ365So that's the clearest it has been explained so far, thank you.... But...
My tenant, the one that is working, has CA requiring MFA for new devices, and every 30 days. I don't use ADFS/Duo/etc. Some of the customers that are seeing the issue do not have CA, but the common thread is that they are using ADFS/Duo/etc. Basically the issue is occurring inverse to what you said should be happening. I should have to put the device policies in place in my tenant because I have CA MFAs, where as my customers shouldn't have to, unless they also have CA.
My understanding as well, the CA in Intune is the same as in Azure AD. CA applies across the board, and that CA is actually licensed under Azure AD Premium (P1/P2), not Intune.
Maybe I'm missing something?
Jul 22 2021 04:03 AM
@jangliss @BrandonJ365 @Kruthika Ponnusamy
So can anyone actually say they have this working correctly and be confident with the system as im pulling my hair out with this now.
If a user signs in with a CAP license all is fine, Its up to the point someone signs in with higher license which includes intune. The device tries to register into endpoint but fails. At this point the phone is rendered a paper weight, No one either with or without a intune license can sign in. Either fails and loops round or signs in as "Unknown User"
We only have one CA for MFA, Ive added the Enrolment restriction mentioned in the fix for this forum.
Ideally i want any user CAP or higher to be able to sign in with no issues and the device not to enrol into intune? Is this even possible now as the public MS information is very conflicting, had no issues up until this update.
Can @Kruthika Ponnusamy provide a list of everything thats needed to be in place? This would make life alot easier for all.
Thanks
Jul 22 2021 04:43 AM - edited Jul 22 2021 04:44 AM
Not sure why you would let a user sign in with a CAP license. We have created dedicated accounts for the Common Area Phones. To prevent the logon issue happening we are using AAD (cloud only) accounts for the CAP devices. This also takes away the need to enroll into Intune, at least in our case.
If you want the device to enroll into Intune you need to enable the Android Device Administrator option for personal or corporate devices. We are using the corporate device option here which does have then the requirement to register the phone's serial number as corporate identifier in Intune. We are using this scenario for normal User phone's and our users have the full Intune license.
Both setups work fine for us. But you are right that Microsoft needs to come up with clear documentation on this topic. We also still have an open ticket with them on this topic.
Regards,
Jul 22 2021 05:12 AM
Jul 22 2021 05:16 AM
Jul 23 2021 02:04 PM
Jul 28 2021 06:58 AM
Jul 28 2021 07:07 AM
Jul 28 2021 07:16 AM
Jul 28 2021 07:17 AM
It's funny you mention logout issues because that's come up with a couple of my customers recently too since this firmware updates. I suspect it's tied to Intune as well. An issue discussed on a Poly partner call yesterday was the same device registering multiple times under a single account, causing the account to run into the max device limitations, we've seen that with a few customers as well.
We've been testing the registration exception with a number of folks to see the impact.
Jul 29 2021 03:45 AM
Jul 30 2021 02:59 AM
Aug 04 2021 10:18 AM
What is this registration exception you mentioned? I'm testing out six different Yealink phones and have hit the InTune device limit by logging on and off the same devices too many times. I'm assuming if a user were to log in and out of their desk phone more than 15 times they will hit the limit?
Aug 04 2021 11:08 AM
Sep 16 2021 03:21 PM
@janglissSuper surprised this hasn't been answered yet but the simplest resolution I've found for this is the following:
In Endpoint Manager, Navigate to Devices/Enroll Devices/Enrollment Restrictions/Device type restrictions, make sure the Android Enterprise and Android DA are set to allow but leave personally owned set to blocked (or whatever choice is desired here).
Then navigate to Devices/Enroll Devices/Corporate device identifiers, here you will want to add the serial number (not mac) of the devices being used.
Unfortunately, M$ has not provided a way for intune to differentiate IP phones from "personally owned" devices (or provide an actual administration console for them) however, shout out to Eric O for pointing me in this direction. It took a lot of hours to figure it out but by adding the corporate ID, these devices bypass any enrollment restrictions imposed on personal devices. Ultimately, i would still suggest the CA policies for the individual model of phone in AAD to reduce the number of "false positives" for compliance issues in intune but if your not using it to manage other devices, this isnt a necessary step.
IMO, the InTune team should figure out a way to mark all of the certified teams phones as corporate by default, should be pretty easy by manufacturer/model... im pretty sure no one has bought one of them for personal use.
Sep 17 2021 08:11 AM
@kylecombs wrote:
Then navigate to Devices/Enroll Devices/Corporate device identifiers, here you will want to add the serial number (not mac) of the devices being used.
This is a nice way of handling it, versus adding policies to block registrations for all android enterprise devices, which was Microsoft's recommendation.
Oct 01 2021 12:45 AM
Oct 07 2021 01:07 AM - edited Oct 07 2021 01:11 AM
Well in your case it at least works.
For us Intune doesn't help at all as device is not able to register in it.
It freezes or dropping on the registration stage (both poly and yealink).
And we've also noted that Android MTRs like Poly Studio or Logi Mini Bar are also affected as they''re most probably using the same kind of Teams Agent.
Using previous version of firmware solves the issue.
Disappointing situation.
We'll see what happens after promised fix by Microsoft.
Nov 17 2021 06:28 AM
Feb 21 2022 04:39 PM