Skip to content
  • There are no suggestions because the search field is empty.

Teams Rooms - MFA

The requirement for Cyber Essentials is that all accounts that can sign in to your cloud must have MFA enabled. This, of course, is difficult with Teams Rooms.

Microsoft advise against enforcing interactive MFA on Teams Rooms

  • Microsoft still support a “100% MFA” tenant posture

  • This holds up to security, audit, and Zero Trust scrutiny

Microsoft explicitly state that Microsoft Teams Rooms (including Yealink) resource accounts must not be required to perform interactive MFA.
Microsoft’s position is:

  • Teams Rooms accounts must be MFA-capable, but Conditional Access must allow non-interactive sign-in without MFA.

  • This is not a loophole — it is documented, supported, and expected behaviour.

Plan for Microsoft Teams Rooms

Microsoft documentation states that Teams Rooms accounts:

  • Use non-interactive sign-ins

  • Do not support MFA prompts

  • Must be handled via Conditional Access exclusions

Conditional Access and workload identities

Microsoft explicitly differentiates:

  • Human interactive identities → MFA required

  • Workload / device identities → non-interactive auth

  • Teams Rooms fall into the workload/device identity category even though they use user objects.

Securing Teams Rooms

Microsoft recommend:

  • Strong passwords

  • Restricted sign-in locations

  • Dedicated Conditional Access policies

  • No interactive MFA enforcement

  • MFA is not supported for Teams Rooms sign-in flows.

 

Step 1 — Make the tenant “100% MFA” (compliance-safe)

Create a global human-user policy:

CA: Require MFA for all users

  • Users: All users
  • Exclude:
    • Break-glass accounts (making sure they have MFA just not via CA)
    • Teams Rooms resource accounts (group-based!)
  • Cloud apps: All
  • Grant: Require MFA

✔ Auditors are happy
✔ Humans always MFA
✔ No device exceptions here

Step 2 — Keep Teams Rooms MFA-enabled (but not enforced interactively)

For Teams Room resource accounts:

  • Register at least one MFA method (Authenticator / FIDO / TAP)
  • Leave them MFA-capable
  • Do NOT use per-user MFA enforcement (legacy)

This satisfies:

  • Security baselines
  • Zero Trust posture
  • “MFA is enabled on all accounts”

Step 3 — Explicitly exempt Teams Rooms from MFA only where needed

This is the critical policy.

CA Policy: Teams Rooms – Allow Non-Interactive Auth from HQ

Users

  • Teams Rooms resource account group

Cloud apps

  • Microsoft Teams
  • Office 365

Conditions

  • Locations:
    • Include: Head Office (Named Location, trusted IP)
  • Client apps:
    • Modern authentication
  • Sign-in risk:
    • Low / Medium only (optional but recommended)

Grant

  • Allow access
  • Do NOT require MFA

This policy:

  • Applies only when the sign-in is evaluated as coming from HQ
  • Allows non-interactive token refresh flows
  • Prevents MFA prompts when the device cannot satisfy