Note

Access to this page requires authorization. You can try signing in or .

Access to this page requires authorization. You can try .

Restrict Teams Resource Accounts Sign In to Teams Rooms with Conditional Access

In this article, you learn how to restrict Teams Rooms resource account authentication using conditional access policies to ensure accounts authenticate only on organization managed Teams Rooms on Windows devices.

Prerequisites

To configure these settings, your organization must have the following licenses:

  • Entra ID Premium P1 (or higher) (for dynamic groups & Conditional Access)
  • Microsoft Intune (for device compliance and enrollment)
  • Microsoft Entra ID Governance (for Access Packages)

Teams Rooms Pro licenses include Entra ID P1 and Intune, but Entra ID Governance may need to be purchased separately based on organization licensing.

The IT admin completing this must be a member of the following roles to perform these tasks:

Step 1: Group all Teams Rooms resource accounts in Entra ID

All Teams resource accounts should be grouped together to ensure consistent conditional access policy assignment. If an existing group doesn't exist, create a new dynamic group that captures all Teams Rooms resource accounts called MTR_Resource_Accounts with these steps:

  1. Go to the Entra ID admin center > Groups > New group.
  2. Select Security as the group type and add a name.
  3. Under Membership type, choose Dynamic User and add a rule: (user.userPrincipalName -startsWith "mtr-").
  4. Review and create the group.

Step 2: Configure access packages to control Entra ID join permissions

For this security control to work, the Teams Rooms on Windows devices must be Entra ID joined. Access packages can be created to allow resource accounts to complete the Entra join of Teams devices in a controlled, limited-time window.

Setup two security groups that are mapped to access packages

  • Create Entra security group for Entra join called MTR_DeviceSetup.
  • Create Entra security group for Entra join called MTR_DeviceFull.

Allow resource accounts to complete Entra join of Teams devices in a controlled, limited-time window.

  1. In Microsoft Entra ID > Identity Governance > Access packages, create two packages:

    • MTR Device Setup (one-time, limited duration)
    • MTR Device Full (persistent membership for deployed devices)

  2. For MTR Device Setup:

    • Resource roles: Assign the MTR_DeviceSetup group Requests: Require two-step approval (local IT manager + global admin).
    • Duration: Configure a short access window (for example, one day) for Entra join. Under Lifecycle -> Expiration set the Access package assignments expire = "Number of days" and set number of days = 1.
    • Users who can request access: For users in your directory and select Specific users and groups.
    • Select users and groups: set to MTR_Resource_Accounts dynamic group.

  3. For MTR Device Full:

    • Resource roles: Assign the MTR_DeviceFull group
    • Requests: Require two-step approval (local IT manager + global admin).
    • Duration: Access package assignments expire = "Never"
    • Users who can request access: For users in your directory and select Specific users and groups.
    • Select users and groups: set to MTR_Resource_Accounts dynamic group.

Step 3: Tag approved devices via extension attributes

Each Entra ID joined Teams Rooms device needs to be marked with an extension attribute to separate that Windows device from other Entra ID joined devices. These device accounts can be marked and remote manually or as part of an automated flow.

  1. As part of the Access Package workflow (upon successful Entra join), use an Entra ID provisioning action or Azure Automation runbook to set a device extension attribute (for example, extensionAttribute2 = "MTR_Approved").
  2. Confirm in Entra ID > Devices that the attribute appears on the device object.
  3. When the device is removed from MTR Device Full, remove the device object extension attribute.
  4. Confirm in Entra ID > Devices that the attribute is removed on the device object when removed from MTR Device Full access package.

Step 4: Conditional access policies

Deploy two key Conditional Access (CA) policies to enforce compliance.

Policy Name Conditions Grant Controls
MTR - Restrict Resource Accounts to Managed Devices * Users: MTR_Resource_Accounts (Dynamic group)
* Cloud apps: All Microsoft 365 apps
* Device: device.extensionAttribute2 -eq "MTR_Approved"		 Grant access only if device is compliant and Entra joined
MTR - Block Resource Accounts except for initial setup * Users: MTR_Resource_Accounts (Dynamic group)
* Cloud apps: All Resources
Exclusion group: MTR_DeviceSetup		 Block

Step 5: Verify and test

  1. New Resource Account
    • Create a test conference room account.
    • Verify membership in MTR_Resource_Accounts group.
  2. Device Enrollment
    • Request the MTR Device Setup access package for the test account.
    • Within the approval window, perform Entra ID join on a Teams device.
    • Verify device object is tagged MTR_Approved.
  3. Sign-In Tests
    • On the joined device, sign in to the Teams Rooms application with the resource account - Allowed.
    • On a non-MTR-Approved device, attempt a sign in using the same resource account - Blocked.
    • On a nonjoined device, attempt sign-in with the same resource account - Blocked.
  4. Sign-In Tests
    • Remove device from MTR Device_Full access package for when a Teams device is retired/decommissioned.
    • Attempt sign in from the device and ensure it's blocked.

Best practices

  • Review dynamic group rules periodically to ensure extension attribute schema remains accurate.
  • Rotate extension attribute values if compromised, update dynamic group rules accordingly.
  • Audit Access Package assignments monthly for orphaned or stale approvals.
  • Document multifactor authentication enforcement for all accounts as a mandatory security practice.

Feedback

Was this page helpful?

Additional resources

  • Last updated on