Intune: Conditional Access and Microsoft Teams App

If you are using a conditional access policy to block/allow specific apps, you may find yourself unable to sign into Microsoft Teams. Users that fail compliance will see the above error message.

You cannot access this right now. Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location that is restricted by your admin.

Unfortunately this can happen even if Microsoft Teams is explicitly allowed (or not blocked). What should be done?

Well, the thing about Microsoft Teams is that it requires other apps to be open and allowed as well. Specifically:

  • Skype for Business Online
  • Exchange Online
  • Sharepoint Online

So make sure that all these services are allowed and not blocked, and you should be able to get past compliance to authenticate into Microsoft Teams.

Intune: If Migrating, Don’t Worry About Those EAS Records

If you have an existing MDM solution and are migrating devices over to Intune, you might notice some EAS records being created. These will be viewable as devices, even if the user did not enroll them into Intune. Sometimes, you’ll see these EAS records being created in Intune for users that have never even installed Company Portal! What is going on here?

The answer can be found in Microsoft’s KB about Intune Conditional Access:

The Intune Exchange connector pulls in all the Exchange Active Sync (EAS) records that exist at the Exchange server so Intune can take these EAS records and map them to Intune device records. These records are devices enrolled and recognized by Intune. This process allows or blocks e-mail access.

In other words, the Intune Exchange Connector actively reads the account information of active users, and if any ActivesyncIDs are detected, Intune automatically creates a record for that ID. This happens even if the device has never touched Intune! So if you are migrating users from one MDM environment to Intune (with the Exchange Connector configured), you will most likely see these “ghost” EAS records.

If you are confused because you don’t have conditional access enabled, you aren’t alone. The thing is, this behavior will happen even if conditional access is turned off! Being “disabled” apparently doesn’t mean “completely disabled” to Microsoft.

As long as your conditional access is not enabled though, you don’t need to stress too much:

  • These “ghost” EAS records will only be created for users that have an Intune license associated with their Azure AD account. So plan out your license distribution carefully.
  • If you don’t have conditional access turned on yet, these EAS records will have no impact to the user. Further note on this, you can even delete these records with no impact, but note that Intune will just re-create them again upon another scan.
  • If the user enrolls the EAS device into Intune, it will merge the MDM and EAS records together (provided that the UPN of the user is the same too).