Microsoft’s New Entra ID Policy Affects Teams-Certified Android Devices
As part of its Secure Future Initiative, Microsoft has implemented a new Conditional Access policy targeting Device Code Flow (DCF) authentication within Entra ID. This move has resulted in unintended sign-outs for several certified Microsoft Teams Android devices, including Teams Rooms on Android, Teams Phones, Teams Panels, and Teams Displays. Acknowledging this challenge, Microsoft has provided guidance on effectively managing the sign-in process.
Understanding the Issue
Despite prior notifications urging administrators to exclude Android devices from this new policy, many have inadvertently overlooked these instructions. Consequently, numerous devices have faced sign-out issues. It is crucial to note that this situation arises not from a technical malfunction, but reflects an intentional security enhancement. However, the communication surrounding this update could have been clearer.
Steps to Reauthenticate Your Devices
If your devices have been logged out, they can be reauthenticated through manual intervention. For remote devices, please follow these comprehensive steps:
- Access the Entra ID portal at https://www.entra.microsoft.com. Locate your conditional access policies and edit the Microsoft-managed policy titled “Block device code flow”.Change its status from “On”to either “Report-Only”or “Off”.Note that once altered, this policy will not activate again in your tenant.
- After updating the policy, restart your Teams Android devices to initiate a sign-in process (you may need to reboot the device up to three times).
- If the reboot does not resolve the issue, attempt manual sign-in using valid Teams resource account credentials. Should this fail as well, a factory reset of the device may be necessary to clear the invalid authentication state.
- Finally, confirm that your devices are updated to the latest version of the Teams application:
- Teams Rooms on Android (compute and console): 1449/1.0.96.2025205603
- Teams Panel: 1449/1.0.97.2025086303
- Teams Phone: 1449/1.0.94.2025165302
- Teams Display: 1449/1.0.95.2024062804
Restoring Access and Preventing Future Issues
By disabling the “Block device code flow” policy as stated in step one, you can revert your environment to its previous state prior to Microsoft’s security upgrade. Ensure close attention to step two, which advises that up to three reboots may be necessary for successful sign-in.
Once your devices are back online, consider implementing preventive measures by adhering to Microsoft’s prior guidance. Adding these devices to an exclusion list will allow them to function smoothly while maintaining enhanced security through the policy’s reactivation.
Microsoft advocates for the selective use of DCF, recommending that it be permitted only when absolutely necessary, while blocking it in other scenarios. For administrators who have been affected by this policy shift, taking proactive steps can prevent similar disruptions in the future.
Leave a Reply