An issue that keeps coming up increasingly as users are rolling out Microsoft Teams Rooms on Android (MTRoA), Teams Phone, Teams Panel or Teams Displays, they are struggling to get the device signed in. This is usually because there is a security policy in place to block Android device enrolment of sorts.
The first pre-requisite that is obvious, is that you must allow your outbound firewall traffic to the Microsoft servers where Microsoft Teams is hosted. (Thanks to Jonathan Davies for reminding me of that one)
If you view the Azure AD Logs for the user account you are troubleshooting, then it may well show the issues. You can see this below.
And when we drill down into this error, it is showing Error Code 50199. However, it is not telling us what to check for this error.
Now this error can relate to several things. In the past it was an issue with not having an Azure P1 license assigned to a meeting room license if you are using Conditional Access policies. However, Microsoft now include this license with all Standard and Premium Room licenses. See below for ensuring that you have assigned the P1 license.
Once you have checked the licenses, then the next thing is to check the Endpoint Manager settings and what enrollment methods are allowed.
Microsoft Teams Devices namely, Teams phones, Teams Displays, Teams panels, Teams Rooms based on the Android operating system, (PS, it’s not an Android phone, it’s an appliance) all register using Android device administrator, or ADA for short. Even though the devices are built on the Android Open Source Project (AOSP), the Teams devices are not yet compatible with this registration method.
As you can see above, I have enabled Use device administrator to manage devices. On new tenants, this is disabled by default, which is why you are reading this blog post.
That is one hurdle done. You can try and sign the device in now. If that is failing, the next one will be finding out which Conditional Access, Compliance and/or Configuration profiles are blocking or restricting successful sign-in on your Teams devices.
Thankfully Endpoint Manager has a What If tool, so you can test the account and see what is causing the sign in failure. Simply navigate as per below to open the What If tool.
Michael Tressler recorded an informative video overview which I’ve embedded below on device enrolment policies with Endpoint Manager.
That is all for now. Any questions, feel free to post below.
About the Author:
Walsh, G. (2022). How to solve Microsoft Teams Android based devices failing to sign in with Intune. Error 50199 in Azure AD Logs. Available at: https://www.thegrahamwalsh.com/microsoft-teams-android-based-devices-failing-to-sign-in-with-intune-error-50199-in-azure-ad-logs/ [Accessed: 14th September 2022].