Setting up Microsoft Teams phones and Microsoft Teams Rooms on Android in Microsoft Intune

By Jacob Scott - Support Escalation Engineer | Microsoft Intune

This is the first of a two-part series: (Enrolling Microsoft Teams phones and Microsoft Teams Rooms on Android in Intune), that walks you through setting up and enrolling your Microsoft Teams phones and Teams Rooms on Android in Microsoft Intune.

Microsoft Teams is a useful tool for organizations to help their users stay connected in remote locations and environments. Teams phones and Teams Rooms on Android are useful resources for maximizing the Teams experience. However, before you can plug in your Teams phone or deploy a Teams Room to join a meeting, you’ll need to configure the devices.

This blog walks through important considerations for configuring Teams phones and Teams Rooms on Android and guidance for deploying these devices in Microsoft Intune. Note, we’ll refer to Teams phones and Teams Rooms on Android devices as Intune enrolled Teams phones and Rooms throughout the remainder of this document.

Before you begin, be sure to review Deploy Teams phones, Teams displays, Teams panels, and Microsoft Teams Rooms on Android using Intune or general guidance in setting up your Teams phones and Teams Rooms on Android devices in Intune.

Setup devices in Intune

This section provides guidance and things to keep in mind when setting up your Teams phones and Rooms in Intune.

The Teams admin center allows you to view and manage Teams phones, Teams Rooms on Android, displays, and panels enrolled in Teams for your organization, as well as set a few device configurations. Just be aware that device configurations set up through the Teams admin center will override policies set up in Intune. Refer to the Settings considerations section of this document for more information.

Before you begin, be sure to set the mobile device management (MDM) Authority to Microsoft Intune and click the Use device administrator to manage devices checkbox on the Android device administrator page in the Intune admin center.

A screenshot of the “use device administrator to manage devices” checkbox option.

Settings considerations

Device configurations and compliance policies should be considered as you set up Teams in Intune. Some Intune device compliance policies are supported while many aren’t. To learn more about which settings are currently supported, see Supported conditional access and Intune device compliance policies for Microsoft Teams Rooms and Tea....

The Intune admin center allows admins to specify configurations on Teams phones and Teams Rooms on Android devices. However, certain configurations, such as app deployment and protection, aren’t supported. When unsupported settings are used, admins will see the policies listed in an Error state in the Intune admin center. The device may never show compliant for that specific setting, rendering it “Not compliant.” This may cause the device to fail to sign in, depending on policy restrictions, such as Conditional Access.

If Conditional Access policies are configured, they will apply during sign-in, but they may not be supported. When new conditional access policies are turned on, they will take effect on the device the next time it authenticates with Azure. See Conditional Access and Intune compliance for Microsoft Teams Rooms for more information about configuring Conditional Access policies.

Ensure Conditional Access policies targeting these devices don’t have unsupported settings. If a user attempts to sign into Intune enrolled Teams phones and Rooms with an unsupported Conditional Access setting, the sign in will fail. Either the user or the devices will need to be removed from the policy.

Unsupported configurations may still be set up with no visible impact to the device user. However, they can cause issues, such as requiring device users to install security credentials each time the device checks into the Intune service. Refer to the table below to determine which settings are supported.

It’s also important to be aware that when configuring settings from the device side, they may not immediately apply to Intune enrolled Teams phones and Rooms. Since Google Mobile Services (GMS) isn’t supported on these devices, the device must first check into Intune before the settings can be applied.

Enrollment restrictions

Devices are enrolled into Intune using Android device administrator and are considered personal by default. If the device is Android 9 or earlier, it can be added to indicate that it’s corporate-owned during the enrollment process. To manage the user account access and permissions, see Intune enrollment restrictions.

If the user is licensed for Intune, the device will attempt Intune enrollment when signing into Teams phones and Rooms. However, when the user signs out of the device, it will unenroll, or retire, from Intune.

Note that Android Enterprise is unsupported, and that Intune enrolled Teams phones and Microsoft Teams Rooms Android devices don’t have GMS.

Set existing enrollment restrictions to allow the Android device administrator platform and personally owned devices in Intune. Personal devices can be blocked if corporate identifiers are added. Corporate identifiers are only supported on Android 9 or earlier.

Troubleshooting Conditional Access settings

There are Conditional Access rules that can impact and exclude Intune enrolled Teams phones and Rooms from evaluation. Some properties evaluated in Conditional Access filters are populated at different rates than others. The following are common scenarios and options for troubleshooting.

Scenario: Sign-in is timing out

Device information is propagated back to Azure Active Directory (Azure AD) from Intune after enrollment completes, which can take time and cause the sign-in attempt to time out. To troubleshoot this issue, consider either updating the device filtering or updating the named location exclusions.

A screenshot of the Filter for devices pane allowing the admin to “configure a filter to apply policy to specific devices.”

Option 1: Update device filtering

You can add a filter to the unsupported Conditional Access policies to remove devices to prevent timeout during sign in. Navigate to Endpoint security > Conditional access > Policies, select a policy and select Conditions then Filter for devices. Specify the devices to be excluded from the policy by selecting the + Add expression option. Select the device Property type (for example, displayName or model), the Operator (such as in, contains, startswith, endswith, or equals), and then populate the Value (such as the device make and model or its name). Be sure to avoid adding extra spaces or characters when entering a name as it has been known to cause processing issues. The Rule syntax field will display the policy syntax you specify with your selections.

For example, specifying the displayName equal to PolyCCX500 ensures that Intune enrolled ccx500 devices will be excluded from the Conditional Access policy.

Note, when Teams phones and Rooms first register with Azure, they use the displayName format “MakeModel.” Be sure to specify both the device’s displayName and model to ensure that the device is excluded from unsupported Conditional Access policies.

Once all the model information updates to Azure AD, these properties should function as expected. 

Option 2: Update named location exclusions

You can add named locations as an exclusion to the policy to help prevent unsupported Conditional Access policies from applying and timing out the sign-in attempt. Both “All trusted locations” and “Selected locations” are valid options.

Note that adding named location exclusions would exclude any device within scope of the policy that is also at the same named location. Be sure to carefully evaluate whether this configuration would meet your goals.

A screenshot of the conditional access configuration options for named locations.

Scenario: Policy settings not working as expected

Conditional Access policy settings may impact your Intune enrolled Teams phones and Rooms from checking in and being compliant. The following are tips for troubleshooting potential Conditional Access policy issues.

• Ensure assigned Conditional Access and Intune compliance policies don’t have unsupported settings.
  • Either the user/device will need to be removed from the targeted policy that includes the unsupported setting(s) or the assignment(s) need filters to exclude Intune enrolled Teams phones and Rooms from the policy.
• Compliance policies are only needed if a conditional access policy that has the Require device to be marked as compliant policy assigned.
• Ensure the user has an Intune license assigned and that it’s not disabled. To confirm the user and their status, use the Intune Troubleshooting tool.
• Add named locations as an exclusion to the policy. Both “All trusted locations” and “Selected locations” are valid options. Be aware that this excludes any device within scope of the policy that is also at the same named location.

Additional tips

If you’re experiencing issues not covered in the above topics, refer to the following for additional troubleshooting tips.

• Manually update your devices to the latest available software versions in the Teams admin center.
• The Conditional Access - What If tool is helpful for making sure there are no unintended Conditional Access policies targeting the user.
• If this is a new deployment and you have made changes to your environment, a factory reset may help to clear out anything cached on the local device.
• Check the Sign-in logs in Azure AD to help identify where issues may be occurring (both interactive and non-interactive sign-ins). Examples where using the log is most useful include:
  • “50199 - For security reasons, user confirmation is required for this request,” has many causes, such as:
    • An unsupported conditional access policy being applied to the user.
    • Android device administrator enrollment type is not enabled in the tenant.
    • The user has an enrollment restriction blocking Android device administrator enrollment.
  • “53002 - Your device is required to be compliant to access this resource,” is typically caused by:
    • A supported compliance policy is assigned but is not evaluated quick enough for Azure AD to mark the device compliant.
    • An unsupported compliance policy is assigned, so the device never becomes compliant.

Let us know if you have any questions in the comments below or reach out to @IntuneSuppTeam on Twitter. Be sure to catch our second post on: Enrolling Microsoft Teams phones and Microsoft Teams Rooms on Android in Intune.