Supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms and Teams Android Devices

This article provides supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms. For best practices and example policies, see Conditional Access and Intune compliance best practices for Microsoft Teams Rooms.

Note

To use this feature with a Teams Rooms device, you need to assign a Microsoft Teams Rooms Pro license to the device. For more information, see Microsoft Teams Rooms licenses.

Note

Teams Rooms must be already deployed on the devices if you want to assign Conditional Access policies. If you haven't deployed Teams Rooms yet, see Create resource accounts for rooms and shared Teams devices and Deploy Microsoft Teams Rooms on Android for more information.

Supported Conditional Access policies

The following list includes the supported Conditional Access policies for Teams Rooms on Windows and Android, and for policies on Teams panels, phones, and displays.

Assignment Teams Rooms on Windows Teams Rooms on Android and panels Teams phones and displays
User or workload identities Supported Supported Supported
Cloud apps or actions Supported

Teams Rooms needs to access the following Cloud apps: Office 365, Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams Services
Supported

Teams Rooms needs to access the following Cloud apps: Office 365, Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams Services
Supported

Teams Rooms needs to access the following Cloud apps: Office 365, Office 365 Exchange Online, Office 365 SharePoint Online, and Microsoft Teams Services
Conditions --- --- ---
User risk Supported Supported Supported
Sign-in risk Supported Supported Supported
Device platforms Supported Supported Supported
Locations Supported Supported Supported
Client apps Not supported Not supported Not supported
Filter for devices Supported Supported Supported
Authentication flows Supported Not supported

Device code flow is required for sign in.
Not supported

Device code flow is required for sign in.
Grant --- --- ---
Block access Supported Supported Supported
Grant access Supported Supported Supported
Require multi-factor authentication Not supported Not supported Supported
Require authentication strength Not supported Not Supported Not supported
Require device to be marked as compliant Supported Supported Supported
Require Microsoft Entra hybrid joined device Not supported Not supported Not supported
Require approved client app Not supported Not supported Not supported
Require app protection policy Not supported Not supported Not supported
Require password change Not supported Not supported Not supported
Sessions --- --- ---
Use app enforced restrictions Not supported Not supported Not Supported
Use Conditional Access App Control Not supported Not Supported Not supported
Sign-in frequency Supported Supported Supported
Persistent browser session Not supported Not supported Not supported
Customize conditional access evaluation Not supported Not supported Not supported
Disable resiliency defaults Not supported Not supported Not supported
Require token protection for sign-in sessions (Preview) Not supported Not supported Not supported

Note

Using Conditional Access policies with Sign-in frequency configured, will make all Teams Android devices periodicly sign out. This is expected behavior.

Note

Authentication Strength including but not limited to, FIDO2 Security keys, is not supported for use with Conditional Access policys that will affect all Teams Devices.

Supported device compliance policies

Microsoft Teams Rooms on Windows and Teams Rooms on Android support different device compliance policies.

Below is a table of device compliance settings and recommendations for their use with Teams Rooms.

Policy Availability Notes
Device health -- --
Require BitLocker Supported Only use if you have enabled BitLocker first on Teams Rooms.
Require Secure Boot to be enabled on the device Supported Secure Boot is a requirement for Teams Rooms.
Require code integrity Supported Code integrity is already a requirement for Teams Rooms.
Device Properties --
Operating System Version (minimum, maximum) Not supported Teams Rooms automatically will update to newer versions of Windows and setting values here could prevent successful sign-in after an OS update.
OS version for mobile devices (minimum, maximum) Not supported.
Valid operating system builds Not supported
Configuration Manager Compliance -- --
Require device compliance from Configuration Manager Supported
System security -- --
All password policies Not supported Password policies can prevent the local Skype account from automatically signing in.
Require encryption of data storage on device. Supported Only use if you have first enabled encryption of data storage on Teams Rooms.
Firewall Supported Firewall is already a requirement for Teams Rooms
Trusted Platform Module (TPM) Supported Trusted Platform Module (TPM) is already a requirement for Teams Rooms.
Antivirus Supported Antivirus (Windows Defender) is already a requirement for Teams Rooms.
Antispyware Supported Antispyware (Windows Defender) is already a requirement for Teams Rooms.
Microsoft Defender Antimalware Supported Microsoft Defender Antimalware is already a requirement for Teams Rooms.
Microsoft Defender Antimalware minimum version Not supported. Teams Rooms will automatically update this component so there's no need to set compliance policies.
Microsoft Defender Antimalware security intelligence up-to-date Supported Validate that Microsoft Defender Antimalware is already a requirement for Teams Rooms.
Real-time protection Supported Real-time protections are already a requirement for Teams Rooms.
Microsoft Defender for Endpoint -- --
Require the device to be at or under the machine risk score. Supported