3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
As part of its Secure Future Initiative, Microsoft has deployed a new Entra ID Conditional Access policy targeting Device Code Flow authentication. Unfortunately, it has led some Microsoft Teams-certified Android devices (Teams Rooms on Android, Teams Phones, Teams Panels, and Teams Displays) to be logged out and signing back in can be a bit fiddly so guidance has been shared.
Microsoft said that it shared previous guidance which explained how to exclude Android devices, but it seems some admins didn’t catch this as many devices were not excluded and have been signed out. It’s important to realize that this is not a bug, it’s a security feature. However, the move could have been better communicated.
To sign the devices back in, you can do so manually. However, if the devices are remote you’ll need to follow these steps:
- Login to the Entra ID portal (https://www.entra.microsoft.com), navigate to your conditional access policies and edit the Microsoft-managed Conditional Access policy called "Block device code flow", change the state from "On" to "Report-Only" or "Off". Once you've modified this policy, it will not activate again in your tenant.
- Once the policy has been modified, reboot your Teams Android devices to force them to sign-in (you may need to reboot up to 3 times)
- If rebooting the device fails, attempt to manually sign the device back in using valid Teams resource account credentials. If that also fails, you will need to factory reset the device to clear the invalid authentication state.
- After restoring functionality, please ensure your devices are running the latest Teams application:
- Teams Rooms on Android (both the compute and the console): 1449/1.0.96.2025205603
- Teams Panel: 1449/1.0.97.2025086303
- Teams Phone: 1449/1.0.94.2025165302
- Teams Display: 1449/1.0.95.2024062804
By disabling the “Block device code flow” policy in step 1, it will change everything back to how it was before Microsoft decided to enable it to boost security. This will allow you to get those affected Android devices logged back in again. Also pay special attention to step 2 which says you might need to reboot your device three times.
Once you have your Android devices logged in again, it’s probably a good idea to follow Microsoft’s previous guidance and add these to an exclusion list before re-enabling the “Block device code flow” policy.
Microsoft recommends only allowing DCF where it’s absolutely necessary and then blocking it elsewhere. The best thing to do is to add your Teams Android device to the exclusion list - this will allow these devices to operate normally, while boosting overall security. If you’re an admin and have been impacted by this, be sure to take proactive measures to avoid disruptions in the future.
Hope you enjoyed this news post.
Thank you for appreciating my time and effort posting news every day for many years.
News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864
RIP Matrix | Farewell my friend
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.