Supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms and Teams Android Devices
This article provides supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms. For best practices and example policies, see Conditional Access and Intune compliance best practices for Microsoft Teams Rooms.
Note
To use this feature with a Teams Rooms device, you need to assign a Microsoft Teams Rooms Pro license to the device. For more information, see Microsoft Teams Rooms licenses.
Note
Teams Rooms must be already deployed on the devices if you want to assign Conditional Access policies. If you haven't deployed Teams Rooms yet, see Create resource accounts for rooms and shared Teams devices and Deploy Microsoft Teams Rooms on Android for more information.
Supported Conditional Access policies
The following list includes the supported Conditional Access policies for Teams Rooms on Windows and Android, and for policies on Teams panels, phones, and displays.
Assignment | Teams Rooms on Windows | Teams Rooms on Android and panels | Teams phones and displays |
---|---|---|---|
User or workload identities | Supported | Supported | Supported |
Cloud apps or actions | Supported Teams Rooms needs to access the following Cloud apps: Office 365, Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams Services |
Supported Teams Rooms needs to access the following Cloud apps: Office 365, Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams Services |
Supported Teams Rooms needs to access the following Cloud apps: Office 365, Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams Services |
Conditions | --- | --- | --- |
User risk | Supported | Supported | Supported |
Sign-in risk | Supported | Supported | Supported |
Device platforms | Supported | Supported | Supported |
Locations | Supported | Supported | Supported |
Client apps | Not supported | Not supported | Not supported |
Filter for devices | Supported | Supported | Supported |
Authentication flows | Supported | Not supported Device code flow is required for sign in. |
Not supported Device code flow is required for sign in. |
Grant | --- | --- | --- |
Block access | Supported | Supported | Supported |
Grant access | Supported | Supported | Supported |
Require multi-factor authentication | Not supported | Not supported | Supported |
Require authentication strength | Not supported | Not Supported | Not supported |
Require device to be marked as compliant | Supported | Supported | Supported |
Require Microsoft Entra hybrid joined device | Not supported | Not supported | Not supported |
Require approved client app | Not supported | Not supported | Not supported |
Require app protection policy | Not supported | Not supported | Not supported |
Require password change | Not supported | Not supported | Not supported |
Sessions | --- | --- | --- |
Use app enforced restrictions | Not supported | Not supported | Not Supported |
Use Conditional Access App Control | Not supported | Not Supported | Not supported |
Sign-in frequency | Supported | Supported | Supported |
Persistent browser session | Not supported | Not supported | Not supported |
Customize continuous access evaluation | Not supported | Not supported | Not supported |
Disable resiliency defaults | Not supported | Not supported | Not supported |
Require token protection for sign-in sessions (Preview) | Not supported | Not supported | Not supported |
Note
Using Conditional Access policies with Sign-in frequency configured, will make all Teams Android devices periodicly sign out. This is expected behavior.
Note
Authentication Strength including but not limited to, FIDO2 Security keys, is not supported for use with Conditional Access policys that will affect all Teams Devices.
Supported device compliance policies
Microsoft Teams Rooms on Windows and Teams Rooms on Android support different device compliance policies.
Below is a table of device compliance settings and recommendations for their use with Teams Rooms.
Policy | Availability | Notes |
---|---|---|
Device health | -- | -- |
Require BitLocker | Supported | Only use if you have enabled BitLocker first on Teams Rooms. |
Require Secure Boot to be enabled on the device | Supported | Secure Boot is a requirement for Teams Rooms. |
Require code integrity | Supported | Code integrity is already a requirement for Teams Rooms. |
Device Properties -- | ||
Operating System Version (minimum, maximum) | Not supported | Teams Rooms automatically will update to newer versions of Windows and setting values here could prevent successful sign-in after an OS update. |
OS version for mobile devices (minimum, maximum) | Not supported. | |
Valid operating system builds | Not supported | |
Configuration Manager Compliance | -- | -- |
Require device compliance from Configuration Manager | Supported | |
System security | -- | -- |
All password policies | Not supported | Password policies can prevent the local Skype account from automatically signing in. |
Require encryption of data storage on device. | Supported | Only use if you have first enabled encryption of data storage on Teams Rooms. |
Firewall | Supported | Firewall is already a requirement for Teams Rooms |
Trusted Platform Module (TPM) | Supported | Trusted Platform Module (TPM) is already a requirement for Teams Rooms. |
Antivirus | Supported | Antivirus (Windows Defender) is already a requirement for Teams Rooms. |
Antispyware | Supported | Antispyware (Windows Defender) is already a requirement for Teams Rooms. |
Microsoft Defender Antimalware | Supported | Microsoft Defender Antimalware is already a requirement for Teams Rooms. |
Microsoft Defender Antimalware minimum version | Not supported. | Teams Rooms will automatically update this component so there's no need to set compliance policies. |
Microsoft Defender Antimalware security intelligence up-to-date | Supported | Validate that Microsoft Defender Antimalware is already a requirement for Teams Rooms. |
Real-time protection | Supported | Real-time protections are already a requirement for Teams Rooms. |
Microsoft Defender for Endpoint | -- | -- |
Require the device to be at or under the machine risk score. | Supported |