How to Configure Device Compliance and Conditional Access for Microsoft Teams Rooms on Android (MTRoA) in Intune

Manage Device Compliance and Conditional Access

Compliance Policy and Conditional Access are two different features inside of Microsoft Intune. We can use them cooperatively to manage devices and improve device security.

What are Device Compliance and Conditional Access?

• Device Compliance: Tells you if your device is compliant or not.
• Conditional Access: Determines what to do with these devices depending on their compliant status.

For example, restrict users from enrolling on Intune unless their Android OS versions are later than 9.0.

Step 1 – Create a Group

Skip this step if you already have a group that includes the user. Or you can add the user to the existing group.

1. Sign in to the Microsoft Endpoint Manager admin center as an admin.
2. Go to Groups > New group to create a group that includes the users whose device platform is restricted.

Step 2 – Set Conditional Access

1. Sign in to the Microsoft Endpoint Manager admin center as an admin.
2. Go to Endpoint security > Condional access > Polices > New policy.
3. Enter the policy name.
4. Under the Users or workload identities field, select the users or groups to which the policy applies.

   NOTE

   • Do not select the check box of All users. Otherwise, the administrator is locked out.
   • Select the users who will use their account to log into Teams phones and do the Intune authentication after you complete setting conditional access and device compliance.
   • After you select the users, you can also click  > Remove to delete the selected users.

   

5. Under the Cloud apps or actions field, select the desired apps or actions to which this policy applies.
6. Under the Conditions field, set the device platform to which this policy applies.

   NOTE

   • If you want to restrict the login location, you can set the Locations under the Conditions tab.
   • Select Android as the device platform because the operating system of Teams phone is Android.

   

7. Under the Grant field, select the controls to be enforced.

   

8. Enable this policy and click Create.

Step 3 – Set Device Compliance

1. Sign in to the Microsoft Endpoint Manager admin center as an admin.
2. Go to Endpoint security > Device compliance > Polices > Create policy.
3. Select a Platform for this policy and click Create.You can choose a platform according to your enterprise enrollment methods for Android devices.
4. Under the Basics tab, specify a Name that helps you identify it later and click Next.
5. Under the Compliance settings tab, set the following settings and click Next.
   1. Set the device health:
   2. Set the operating system version:
   3. Set the system security:
6. Under the Assignments tab, assign this policy to the desired groups to which the users belong and click Next.

   NOTE

   Do not assign this policy to all users. Otherwise, the administrator is blocked out.

   

7. Click Create.

Check the Status of the Compliance Policy

After you apply your policy, you can see the device sign-in status.

1. Sign in to the Microsoft Endpoint Manager admin center as an admin.
2. Go to Devices > Compliance policies.
3. Click the name of the policy you create.
4. Click Device status or User status to check the corresponding compliance status.

Check the Sign-In Logs

After you apply your policy, you can see the device sign-in status.

1. Sign in to the Azure Active Directory admin center as an admin.
2. Go to Azure Active Directory > Monitoring > Sign-in logs.
3. Click the log to see more detailed information. For example, check the sign-in error code to find out why a user failed to sign in.For other activity details, see Microsoft’s doc on Sign-in logs in Azure Active Directory.