Last Updated on April 13, 2021 by GrahamWalsh
A question that I’m getting asked a lot is that they need help troubleshooting Microsoft Teams Android based devices. This is namely Teams Phones and Teams panels. These devices run a mix of Android version such as 8.1, 9.0 etc. Some organisations might have Microsoft Azure Conditional Access policies in place to prevent sign-in from older devices. They may also have Endpoint Manager (previously Intune) with policies preventing sign-in.
I’m no Endpoint Manager/Conditional Access policy expert, but I created a conditional access policy to block the Microsoft Teams app from signing in from Android devices. Here is what I set in the Azure portal.

Now when I try and sign in from a Crestron MM30-TA conference phone (running Android 9.0), it just hangs here on this screen. Unfortunately, this doesn’t help much with troubleshooting.

If I head over to Endpoint Manager, I can go to Troubleshooting + Support section and filter on the user trying to sign in. You can see at the bottom that there are Enrolment Failures. Again, the error here doesn’t help much 🙁

If I move over to a Microsoft Teams panel, the Crestron TSS-1070 panel (running Android 8.1) I get a more useful error on the display.

If I click on More details, then this provides more guidance and IDs that you could search Azure/Endpoint Manager for.

However, if you head over to your Azure portal and look for the user trying to sign in, head to Activity on the left pane and then select Sign-ins. This now provides what you might be looking for. As you can see here, the Failure Reason is saying Access has been blocked by Conditional Access policies. So this will help narrow down what might be causing the issue.

We can then look at another table within the error to drill down further and we can see what Conditional Access is causing the issue.

We can also look at another error that is being reported by Microsoft Intune. We can head to the final tab Troubleshooting and support and understand what it means Authentication failed due to flow token expired.

In summary, I don’t have the magic answer as to why the device is not signing in. If it doesn’t sign in first time, then there is probably a policy in place, and you’ll have to work with your colleagues to find out what policy is restricting it. Another way to look at fixing this, you could create an exception policy to allow certain devices/locations/IP Addresses.
Feel free to add comments below if you know of better ways to troubleshoot these issues.
Also published on Medium.