UCPrimer
  • Tech Blog
  • About UCPrimer.com

AzureAD and MEM/Intune considerations for MTR on Android

6/8/2021

0 Comments

 
Picture
Microsoft Teams Room on Android devices have been growing rapidly since its debut by Poly with the Studio X30/X50. While its relatively simple to deploy these devices, there are several considerations to ensure the devices can sign-in to the tenant especially when there are AzureAD and MEM/Intune security restrictions. This blogpost discusses in detail some of these considerations and how to identify and resolve possible issues.
When using the same account to sign into multiple MTRoA devices, do note that there is a default limit of 20 devices per account. Once this limit is reached, the additional devices will not be able to sign-in using the same account. Its worth noting that should a device be factory reset and signed it again using the same account, this will count as an additional device registration. This default of 20 devices can be changed in AzureAD admin center as shown below but it is a tenant wide setting:
Picture
To check whether an account has reached its limit, navigate to the account in AzureAD admin center and check the "Devices" section. For example, the diagram below shows an account that has 15 devices registered. If desired, simply select the devices and delete it to free up registrations. Do take care that this will cause any signed-in devices to be signed out.
Picture
If an tenant has MEM/Intune enabled, then there are additional device enrollment limits on top of that in AzureAD. In fact, Intune/MEM's default is just 5 devices and while this can be changed, the maximum that can be configured is 15:
Picture
Organizations also typically have Intune/MEM policies to secure Android smart phones signing into the tenant for email and Teams. Because MTRoA devices run the Android OS, they are also subject to the same policy restrictions. Hence its recommended to exclude MTRoA devices from these policies as they should not be treated the same as regular user smart phones. When a MTRoA device is unable to sign into Teams due to MEM/Intune policy restrictions, there aren't many error messages displayed on the device that indicates this. Once way to check if the device is indeed being blocked by Intune/MEM polices is to go to the MEM/Intune portal and navigate to the Compliance section under "Noncompliant devices". This will display all the accounts that have been marked non-compliant by MEM/Intune while signing-in to the tenant. Look for the MTRoA account that is being used and if it appears in this list, then its being blocked by policy:
Picture
Once the MTRoA account is identified as being blocked by MEM/Intune, we need to know the actual policy setting that is causing the non-compliance. This can be found under the Users section and navigating to "Sign-ins". A list of failures will be displayed in the upper section, and in the details section below, there are several tabs can may indicate the reason for failures. For example. the picture below shows that a device failed a compliance policy that requires Android10 or higher OS:
Picture
As mentioned earlier, MTRoA devices should be excluded from MEM/Intune policies created for regular user's smartphones. This can be done via first creating a Dynamic Group in AzureAD that will automatically include devices that match the deviceOSType property to "Android" and the "deviceModel" property to the device model name as shown below:
Picture
Once the Dynamic Group is created, we can then assign this group to be excluded from the MEM/Intune policy as shown below:
Picture
In conclusion, MTRoA devices are subject to the same MEM/Intune policies for regular user's Android smartphones and should be excluded from these policies as they are a entirely different category of devices.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Picture
    Picture

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    ​Microsoft MVP Blogs

    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    September 2022
    August 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies