Hero Banner

Microsoft Partner Network

Where Microsoft's CSP, MSP, SI, and ISV partners seek new opportunities and learn from each other

Reply
Highlighted
Visitor 1

MFA requirement for Partners and Teams Meeting Rooms

Hi Guys,

 

In our tenancy we have accepted the Microsoft Security Defaults but we have a small issue. When creating a Teams Resource user for Video Conferencing (i.e. a Room), the user cannot sign-in to the Teams Console on the VC unit. When looking at the log in Azure the reason code is becuase of Policy (Security Defaults). How do I get around this? I have to have MFA enabled for all users but the Room user doesn't seem to work with MFA enabled. I thought that maybe the user needed to register for MFA first so I tried an interactive logon and MFA registration for the room but this didn't help at - same error.  (53003 - "Access Blocked due to conditional access policy" then under the condition access tab it lists security defaults as the policy. Any help greatly appreciated. 

2 REPLIES 2
Highlighted
Community Manager

Re: MFA requirement for Partners and Teams Meeting Rooms

Hi @glennr ,

 

Thank you for sharing this matter with the Microsoft Partner Community!

I have seen a thread that approached this topic, please see the last comment, itcontains latest updates and guidace : https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/The-new-MFA-for-Partners-requirements-what-will-that-do-to-our/td-p/11161/page/2

 

Have a great day ahead,

Andra

 

Highlighted
Microsoft

Re: MFA requirement for Partners and Teams Meeting Rooms

@glennr :

Since in the other thread a lot of different scenarios were discussed, the short answer for you: You can not use Azure AD Security Defaults when you want to have Teams Rooms devices (and if you want them to still work).

 

You need to enable MFA using a different method - either enabling MFA for each of the other user accounts directly (and disable AAD Security Defaults) or use Conditional Access to enforce MFA for all other users. Both methods require licenses for each protected user, e.g. Azure AD Premium Plan1. While from contract perspective making an exception is not compliant, technically this is possible for this scenario since those accounts will not be hit by any technical enforcement.

 

For Teams Rooms an update to allow Modern Authentication is planned, but no confirmed release date (maybe Q1, maybe later).

 

When you use one of the other methods for MFA, be aware that also Azure AD Connect Sync Account is affected, so this also needs to be excluded.