Supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms and Teams Android Devices

Article
2025-05-16
Applies to: Microsoft Teams

This article provides supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms. For best practices and example policies, see Conditional Access and Intune compliance best practices for Microsoft Teams Rooms.

Supported Conditional Access policies

The following list includes the supported Conditional Access policies for Teams Rooms on Windows and Android as well as Teams panels and phones.

Important

While configuring certain policies might be supported, they may lead to less than desired experiences on your devices, test, and confirm configurations function as intended before deploying at scale. For instance, using the sign-in frequency policy causes devices to periodically sign out and may not be desired. Likewise, configuring sign-in frequency on individual Microsoft 365 services can interrupt or stop the Teams Device sign in flow and isn't supported. Also, blocking Device Code Flow prevents using microsoft.com/devicelogin to remotely sign-in a Teams Android device.

Assignment	Teams Rooms on Windows	Teams Rooms on Android / Teams phone / Teams Panels
Users	Supported	Supported
Target Resources	Supported (For functionality, don't block access to: Office 365, Office 365 SharePoint Online, Microsoft Teams Services, & Device Registration Service)	Supported (For functionality, don't block access to: Office 365, Office 365 SharePoint Online, Microsoft Teams Services, & Device Registration Service)
Network	Supported	Supported
Conditions
User risk	Supported	Supported
Sign-in risk	Supported	Supported
Insider risk	Not supported	Not supported
Device platforms	Supported	Supported
Locations	Supported	Supported
Client apps	Supported	Supported
Filter for devices	Supported	Supported
Authentication flows	Supported	Supported To use remote sign-in, don't block Device code flow.
Grant
Block access	Supported	Supported
Grant access	Supported	Supported
Require multifactor authentication	Not supported	Supported To enable seamless sign-on, don't enforce this policy, use a different secondary authentication factor.
Require authentication strength	Not supported	Not supported
Require device to be marked as compliant	Supported	Supported
Require Microsoft Entra hybrid joined device	Not supported	Not supported
Require approved client app	Not supported	Not supported
Require app protection policy	Not supported	Not supported
Require password change	Not supported	Not supported
Sessions
Use app enforced restrictions	Not supported	Not supported
Use Conditional Access App Control	Not supported	Not supported
Sign-in frequency	Supported	Supported
Persistent browser session	Not supported	Not supported
Customize continuous access evaluation	Not supported If you check the box, it must be set to Disable or you'll experience instability	Not supported If you check the box, it must be set to Disable or you'll experience instability
Disable resiliency defaults	Not supported	Not supported
Require token protection for sign-in sessions (Preview)	Not supported	Not supported

Note

Authentication strength including but not limited to, FIDO2 Security keys, isn't supported for use with Conditional Access policies that affect all Teams Devices.

Supported device compliance policies

Microsoft Teams Rooms on Windows and Teams Rooms on Android support different device compliance policies.

Supported device compliance settings and recommendations for their use with Teams Rooms on Windows.

Policy	Availability	Notes
Device health	--	--
Require BitLocker	Supported	Only use if BitLocker is enabled first.
Require Secure Boot to be enabled on the device	Supported	Secure Boot is a requirement for Teams Rooms.
Require code integrity	Supported	Code integrity is already a requirement for Teams Rooms.
Device Properties --
Operating System Version (minimum, maximum)	Not supported	Teams Rooms automatically will update to newer versions of Windows and setting values here could prevent successful sign-in after an OS update.
OS version for mobile devices (minimum, maximum)	Not supported.
Valid operating system builds	Not supported
Configuration Manager Compliance	--	--
Require device compliance from Configuration Manager	Supported
System security	--	--
All password policies	Not supported	Password policies can prevent the local Skype account from automatically signing in.
Require encryption of data storage on device.	Supported	Only use if BitLocker is enabled first.
Firewall	Supported	Firewall is already a requirement for Teams Rooms
Trusted Platform Module (TPM)	Supported	Trusted Platform Module (TPM) is already a requirement for Teams Rooms.
Antivirus	Supported	Antivirus (Windows Defender) is already a requirement for Teams Rooms.
Antispyware	Supported	Antispyware (Windows Defender) is already a requirement for Teams Rooms.
Microsoft Defender Anti-malware	Supported	Microsoft Defender Anti-malware is already a requirement for Teams Rooms.
Microsoft Defender Anti-malware minimum version	Not supported.	Teams Rooms will automatically update this component so there's no need to set compliance policies.
Microsoft Defender Anti-malware security intelligence up-to-date	Supported	Validate that Microsoft Defender Anti-malware is already a requirement for Teams Rooms.
Real-time protection	Supported	Real-time protections are already a requirement for Teams Rooms.
Microsoft Defender for Endpoint	--	--
Require the device to be at or under the machine risk score.	Supported

Supported device compliance settings for Teams Rooms on Andorid devices enrolled with AOSP Device Management (AOSP DM).

Policy	Availability	Notes
Device Health	--	--
Rooted devices	Supported
Device properties	--	--
Operating System Version (minimum, maximum)	Supported
Minimum security patch level	Supported
System security	--	--
Require a password to unlock mobile devices	Not supported	Teams Devices don't support a password unlock.
Required password type	Not supported	Teams Devices don't support a password unlock.
Maximum minutes of inactivity before password is required	Not supported	Teams Devices don't support a password unlock.
Require encryption of data storage on device.	Supported

Supported device compliance settings for Teams phone and displays enrolled with AOSP Device Management (AOSP DM).

Policy	Availability	Notes
Device Health	--	--
Rooted devices	Supported
Device properties	--	--
Operating System Version (minimum, maximum)	Supported
Minimum security patch level	Supported
System security	--	--
Require a password to unlock mobile devices	Not supported	Teams Devices don't support a password unlock.
Required password type	Not supported	Teams Devices don't support a password unlock.
Maximum minutes of inactivity before password is required	Not supported	Teams Devices don't support a password unlock.
Require encryption of data storage on device.	Supported

Supported device compliance settings for Teams panels enrolled with AOSP Device Management (AOSP DM).

Policy	Availability	Notes
Device Health	--	--
Rooted devices	Supported
Device properties	--	--
Operating System Version (minimum, maximum)	Supported
Minimum security patch level	Supported
System security	--	--
Require a password to unlock mobile devices	Not supported	Teams Devices don't support a password unlock.
Required password type	Not supported	Teams Devices don't support a password unlock.
Maximum minutes of inactivity before password is required	Not supported	Teams Devices don't support a password unlock.
Require encryption of data storage on device.	Supported

Device compliance settings and recommendations for their use with Teams Rooms on Android devices enrolled using Android Device Administrator (ADA).

Policy	Availability	Notes
Microsoft Defender for Endpoint	--	--
Require the device to be at or under the machine risk score	Not supported
Device Health	--	--
Device managed with device administrator	Required	Teams Android devices management requires device administrator to be enabled.
Rooted devices	Supported
Require the device to be at or under the device threat level	Not supported
Google Play Protect	--	--
Google Play Services is configured	Not supported	Google play isn't installed on Teams Android devices.
Up-to-date security provider	Not supported	Google play isn't installed on Teams Android devices.
Threat scan on apps	Not supported	Google play isn't installed on Teams Android devices.
SafetyNet device attestation	Not supported	Google play isn't installed on Teams Android devices.
Device properties	--	--
Operating System Version (minimum, maximum)	Supported
System security	--	--
Require encryption of data storage on device.	Supported
Device security	--	--
Block apps from unknown sources	Not supported	Only Teams admins install apps or OEM tools
Company Portal app runtime integrity	Supported
Restricted apps	Not supported
Block USB debugging on device	Not Supported	Not Applicable. ADB enablement isn't allowed on production devices.
*All Android devices	--	--
Maximum minutes of inactivity before password are required	Not supported
Require a password to unlock mobile devices	Not supported
Android 10 and later	--	--
Android 9 and earlier or Samsung Knox	--	--
Required password type	Not supported

Device compliance settings and recommendations for their use with Teams phones and displays enrolled using Android Device Administrator (ADA).

Policy	Availability	Notes
Microsoft Defender for Endpoint	--	--
Require the device to be at or under the machine risk score	Not supported
Device Health	--	--
Device managed with device administrator	Required	Teams Android devices management requires device administrator to be enabled.
Rooted devices	Supported
Require the device to be at or under the device threat level	Not supported
Google Play Protect	--	--
Google Play Services is configured	Not supported	Google play isn't installed on Teams Android devices.
Up-to-date security provider	Not supported	Google play isn't installed on Teams Android devices.
Threat scan on apps	Not supported	Google play isn't installed on Teams Android devices.
SafetyNet device attestation	Not supported	Google play isn't installed on Teams Android devices.
Device properties	--	--
Operating System Version (minimum, maximum)	Supported
System security	--	--
Require encryption of data storage on device.	Supported
Device security	--	--
Block apps from unknown sources	Not supported	Only Teams admins install apps or OEM tools
Company Portal app runtime integrity	Supported
Restricted apps	Not supported
Block USB debugging on device	Not Supported	Not Applicable. ADB enablement isn't allowed on production devices.
*All Android devices	--	--
Maximum minutes of inactivity before password are required	Not supported
Require a password to unlock mobile devices	Not supported
Android 10 and later	--	--
Android 9 and earlier or Samsung Knox	--	--
Required password type	Not supported

Device compliance settings and recommendations for their use with Teams panels enrolled using Android Device Administrator (ADA).

Policy	Availability	Notes
Microsoft Defender for Endpoint	--	--
Require the device to be at or under the machine risk score	Not supported
Device Health	--	--
Device managed with device administrator	Required	Teams Android devices management requires device administrator to be enabled.
Rooted devices	Supported
Require the device to be at or under the device threat level	Not supported
Google Play Protect	--	--
Google Play Services is configured	Not supported	Google play isn't installed on Teams Android devices.
Up-to-date security provider	Not supported	Google play isn't installed on Teams Android devices.
Threat scan on apps	Not supported	Google play isn't installed on Teams Android devices.
SafetyNet device attestation	Not supported	Google play isn't installed on Teams Android devices.
Device properties	--	--
Operating System Version (minimum, maximum)	Supported
System security	--	--
Require encryption of data storage on device.	Supported
Device security	--	--
Block apps from unknown sources	Not supported	Only Teams admins install apps or OEM tools
Company Portal app runtime integrity	Supported
Restricted apps	Not supported
Block USB debugging on device	Not Supported	Not Applicable. ADB enablement isn't allowed on production devices.
*All Android devices	--	--
Maximum minutes of inactivity before password are required	Not supported
Require a password to unlock mobile devices	Not supported
Android 10 and later	--	--
Android 9 and earlier or Samsung Knox	--	--
Required password type	Not supported

Share via

Supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms and Teams Android Devices

Supported Conditional Access policies

Supported device compliance policies

Feedback

Additional resources