Microsoft Teams: How to overcome challenges with Windows Information Protection & Conditional Access
Recently Microsoft announced Microsoft Teams, a new chat-based platform in Office 365. For all mobile platforms (Android, iOS and Windows 10 Mobile) Microsoft released an native app, including a desktop app for Windows 10 and Mac OS X. The Microsoft Teams apps can be downloaded here. After I installed the Microsoft Teams desktop app on Windows 10 I bumped into the following funny message ‘Yikes! Looks like someone pulled the plug on the internet’.
Windows Information Protection
I’m suspecting Windows Information Protection (WIP) pulled the plug off. Therefore we have to define Microsoft Teams as an managed app in order to work properly. Because we’re using our cloud identity (Work- or School account) to access Microsoft Teams, we’ve to add Microsoft Teams as a managed (trusted) app, allowing to use our corporate identity here. Normally a straight forward process however the current preview version of Microsoft Teams desktop app doesn’t have all product properties (product- and file name) embedded in order to configure Windows Information Protection policy properly.
I’ve created an uservoice item to get this solved in the final version (if it wont be a universal app), so feel free to vote-up!
The (temporary) workaround in our case was to just add the information available (publisher and version) in order to keep the scope tight to only Microsoft Teams. (Chances might be minimum here to hit (allow) another Microsoft desktop apps with the same version).
Conditional Access for SharePoint Online
Additional to Windows Information Protection we bumped in to another challenge: Conditional Access. Once successfully logged in to Microsoft Teams we were facing the message below. Access to Microsoft Teams was prohibited because we didn’t met the compliance status. Odd if you asked me, because we didn’t set up a particular conditional access policy rule for Microsoft Teams (aka as Skype Teams).
This should be something related to Office 365 as Microsoft Teams is part of that platform. Thanks to fellow MVP Maxime Rastello which pointed me of having configured Conditional Access for SharePoint Online, by Microsoft Intune. We initially enabled Conditional Access for SharePoint Online for all platforms including Android, iOS, Windows 10 Mobile and Windows 10. For some reason Conditional Access can’t determine correctly whether a Windows 10 is domain joined and/or compliant. As my Windows 10 laptop is domain joined (Azure AD Joined) we should be good here.
As temporary workaround we disabled Conditional Access for Windows 10, Microsoft Teams desktop app appears to be working as expected. All other (mobile) platforms mentioned before are working fine. I’ve noticed this behavior also occurs with other SaaS application in combination of Windows 10.
The current preview version of the Teams desktop app seems to be lacking support of device-based authentication/conditional access. Given that this feature is not in the current native app and had to be added, it may be fair to assume that there are some other dependencies in the native apps (possibly ADAL versions or the like) that are involved and that Teams may not have the right login components integrated to allow this to work. Currently Teams seems to be an app framework using the web based log-in framework as you do with a native web browser, however most likely the client user agent isn’t determined as Edge or Internet Explorer browser, but Mozilla as Conditional Access doesn’t support Chrome as trusted browsers.
Ideally, Microsoft Teams should just work if you had your device registered and (or compliant) there would not be a technology limitation preventing it. The fact that Microsoft Teams is not clearly separated from SharePoint in the policy engine is also a bit of a challenge. While it kind of makes sense that for example One Drive for Business and SharePoint share the same Conditional Access policy, it is much harder to figure out why Teams would get bundled in there.
Many thanks to Maxime Rastello and Joe Kaplan for sharing their insights.
No need to disable the policy. Simply uncheck “Block non-compliant devices on same platform as outlook” found under Outlook Web Access (OWA) in the Intune classic portal (manage.microsoft.com). This will allow users to use the web browser to login to OWA in addition to allowing them to log into teams.microsoft.com, so be aware. Microsoft, fix your shiz…. Teams is not OWA.