Muokkaa

Jaa

Supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms and Teams Android Devices

  • Artikkeli
  • Koskee seuraavia::
    Microsoft Teams

This article provides supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms. For best practices and example policies, see Conditional Access and Intune compliance best practices for Microsoft Teams Rooms.

Note

To use this feature with a Teams Rooms device, you need to assign a Microsoft Teams Rooms Pro license to the device. For more information, see Microsoft Teams Rooms licenses.

Supported Conditional Access policies

The following list includes the supported Conditional Access policies for Teams Rooms on Windows and Android, and for policies on Teams panels, phones, and displays.

Assignment Teams Rooms on Windows Teams Rooms on Android and panels Teams phones and displays
User or workload identities Supported Supported Supported
Cloud apps or actions Supported

Teams Rooms needs to access the following Cloud apps: Office 365, Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams Services		 Supported

Teams Rooms needs to access the following Cloud apps: Office 365, Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams Services		 Supported

Teams Rooms needs to access the following Cloud apps: Office 365, Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams Services
Conditions --- --- ---
User risk Supported Supported Supported
Sign-in risk Supported Supported Supported
Device platforms Supported Supported Supported
Locations Supported Supported Supported
Client apps Not supported Not supported Not supported
Filter for devices Supported Supported Supported
Authentication flows Supported Not supported

Device code flow is required for sign in.		 Not supported

Device code flow is required for sign in.
Grant --- --- ---
Block access Supported Supported Supported
Grant access Supported Supported Supported
Require multi-factor authentication (MFA) Not supported Supported

User interactive MFA is not recommended for shared space devices.		 Supported

User interactive MFA is not recommended for shared space devices.
Require authentication strength Not supported Not Supported Not supported
Require device to be marked as compliant Supported Supported Supported
Require Microsoft Entra hybrid joined device Not supported Not supported Not supported
Require approved client app Not supported Not supported Not supported
Require app protection policy Not supported Not supported Not supported
Require password change Not supported Not supported Not supported
Sessions --- --- ---
Use app enforced restrictions Not supported Not supported Not Supported
Use Conditional Access App Control Not supported Not Supported Not supported
Sign-in frequency Supported Supported Supported
Persistent browser session Not supported Not supported Not supported
Continuous access evaluation Not supported Not supported Not supported
Disable resiliency defaults Not supported Not supported Not supported
Require token protection for sign-in sessions (Preview) Not supported Not supported Not supported

Note

Using the sign-in frequency policy will cause devices to periodically sign out.

Note

Authentication Strength including but not limited to, FIDO2 Security keys, is not supported for use with Conditional Access policies that affect all Teams Devices.

Supported device compliance policies

Microsoft Teams Rooms on Windows and Teams Rooms on Android support different device compliance policies.

Supported device compliance settings and recommendations for their use with Teams Rooms on Windows.

Policy Availability Notes
Device health -- --
Require BitLocker Supported Only use if you have enabled BitLocker first on Teams Rooms.
Require Secure Boot to be enabled on the device Supported Secure Boot is a requirement for Teams Rooms.
Require code integrity Supported Code integrity is already a requirement for Teams Rooms.
Device Properties --
Operating System Version (minimum, maximum) Not supported Teams Rooms automatically will update to newer versions of Windows and setting values here could prevent successful sign-in after an OS update.
OS version for mobile devices (minimum, maximum) Not supported.
Valid operating system builds Not supported
Configuration Manager Compliance -- --
Require device compliance from Configuration Manager Supported
System security -- --
All password policies Not supported Password policies can prevent the local Skype account from automatically signing in.
Require encryption of data storage on device. Supported Only use if you have first enabled encryption of data storage on Teams Rooms.
Firewall Supported Firewall is already a requirement for Teams Rooms
Trusted Platform Module (TPM) Supported Trusted Platform Module (TPM) is already a requirement for Teams Rooms.
Antivirus Supported Antivirus (Windows Defender) is already a requirement for Teams Rooms.
Antispyware Supported Antispyware (Windows Defender) is already a requirement for Teams Rooms.
Microsoft Defender Antimalware Supported Microsoft Defender Antimalware is already a requirement for Teams Rooms.
Microsoft Defender Antimalware minimum version Not supported. Teams Rooms will automatically update this component so there's no need to set compliance policies.
Microsoft Defender Antimalware security intelligence up-to-date Supported Validate that Microsoft Defender Antimalware is already a requirement for Teams Rooms.
Real-time protection Supported Real-time protections are already a requirement for Teams Rooms.
Microsoft Defender for Endpoint -- --
Require the device to be at or under the machine risk score. Supported