Block Teams web client whilst allowing Teams desktop client - using proxy
[UPDATE 29/09] We have identified that the Teams desktop client puts a Teams entry in the user-agent string and use a specific Chrome version that is different to the Chrome the users have so we are using this to block traffic to teams.microsoft.com and seems to working so far. Not all traffic has the user-agent though i.e. video. Initially we blocked teams.microsoft.com except user-agent Teams* but this blocked video. Does anyone have detail on Teams video traffic so we can investigate further options? ------------------------------------------------------------------------------------------------- Is there a way to identify traffic from Teams web client, distinct from Teams desktop client so we can use proxy config to block Teams web client whilst allowing Teams desktop client? The reasons for this specific ask and consideration of other options are below: we are deploying Microsoft 365 in an environment for which a new tenant (tenant A) has been set up. The environment has on-prem Win 10 devices managed via SCCM and the devices currently don't have Teams or Outlook desktop clients installed. The environment is locked down with access to teams.microsoft.com currently blocked using proxy config to prevent users getting to Teams via the browser (and users don't even have the desktop client, which this would also block). Users currently have access to email on the parent company's tenant (tenant B), using their separate parent company creds signing into outlook for the web in the browser. This is the extent of their use of M365 cloud services - Outlook on the Web to parent company tenant. As part of rolling out Teams, the Teams client is being deployed and the proxy block of teams.microsoft.com is being removed. RestrictTeamsSignInToAccountsFromTenantList registry setting is implemented so users can only sign-in to tenant A from Teams desktop client. sign-in to tenant B Teams or indeed any tenant is possible via the web client however and there is a requirement to block this so the users can't use the Teams web client. We can't use tenant restrictions i.e. Restrict-Access-To-Tenants header in proxy to tenant A (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions) as the users need to be able to get to parent company tenant B for email We can't configure tenant B e.g. Conditional access to block Teams for a group as the global team who manage tenant B don't engage for these type of point solutions - to keep their tenant maintainable. Due to the above constraints we think identifying some specific urls in proxy might be our best route but open to other suggestions on how to to block Teams web client whilst allowing Teams desktop client.Problem with Teams meeting Add-Ins in Outlook 2016
In my organization we have a problem with the complement to generate Microsoft Teams meetings in Outlook. The problem is that when using the plugin to generate a meeting, it displays the following message: "We couldnĀ“t schedule the meeting. Please try again later". In my organization we use a proxy server to navigate, I have noticed that if I deactivate the proxy the add-in works correctly. Anyone had this problem?Proxy rules for login interface
We're rolling out MS Teams behind a corporate proxy which requires users to accept an AUP the first time they access the Internet in a session. This policy is bypassed for all traffic with a User agent string containing "Teams/*", but the login interface seems to use a generic UAS instead, so it failing until the user opens their browser and accepts the AUP to 'unlock' their Internet access. I've also added http*://login.microsoft.com/* and http*://*.msidentity.com/* to bypass this policy, but it still seems to be failing. Do I need to add the A records that these CNAMEs resolve to as well? As these are hosted by a CDN, is there a more granular set of URLs I can add, or do I need to add the whole CDN Domain?
