Intune: Conditional Access and Microsoft Teams App

If you are using a conditional access policy to block/allow specific apps, you may find yourself unable to sign into Microsoft Teams. Users that fail compliance will see the above error message.

You cannot access this right now. Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location that is restricted by your admin.

Unfortunately this can happen even if Microsoft Teams is explicitly allowed (or not blocked). What should be done?

Well, the thing about Microsoft Teams is that it requires other apps to be open and allowed as well. Specifically:

  • Skype for Business Online
  • Exchange Online
  • Sharepoint Online

So make sure that all these services are allowed and not blocked, and you should be able to get past compliance to authenticate into Microsoft Teams.

Intune: How On-Premise Exchange Conditional Access Can Work

Overview

When controlling access to Exchange email, there are generally two ways to go about it:

  • You can allow all devices and then block them after evaluating them.
  • You can block/quarantine all devices and then allow them after evaluating them.

The second option is more secure because access to email is not granted until the user’s device is deemed compliant. Both options are enforced through Exchange Activesync Settings, commonly known as ABQ:

How are these concepts implemented in Intune? Well, although there are multiple ways to go about this, Microsoft has documented their suggested process. Let’s cover those steps.

Steps 1-3: Getting Blocked

According to Microsoft, the suggested method is to actually become quarantined/blocked on purpose. When that happens, an EAS record will be created in Intune automatically, and the Exchange server will send a notification to the user. This notification can be customized to include steps on how to enroll the device into Intune for management. Below is what the automated email could look like.

Steps 4-8: Enrollment

After getting the blocked email and following the customized instructions, the user will then be able to go through the enrollment process. For iOS and Android devices, that means downloading the Intune Company Portal app, and then authenticating with an Azure AD Account that has an Intune license applied to it. Once the user’s subscription is verified, a trust will be established between the device and the Intune servers. Once the trust is established, then the device is managed by Intune. On the backend, Intune will take the already-blocked EAS record, and merge it with a now-compliant MDM record.

Steps 9-10: Exchange Conditional Access

Intune will check all enrolled devices on a timed interval, and allow any that are compliant to access email. The interval is around 15 minutes supposedly, but this information is not made public. In order to allow a device, Intune connects to the on-premise Exchange servers via Intune Exchange Connector. Once the connection is established, powershell cmdlets are run to mark the EAS device ID as “allowed” and thus able to access Exchange email.

Alternative process

Although above is the process that Microsoft has documented, note that it is not the only way to implement access control in a corporate environment. Another process would be to have users enroll before being blocked. That way, they never get a “blocked” email, which can be confusing to some. Once enrolled and compliant, the Intune Exchange Connector can allow the EAS ID, and the user will be able to access email on their mobile device.