Merge pull request #15984 from MattSlomka/patch-86

Update authentication-best-practices-for-android-devices.md

Teams/devices/authentication-best-practices-for-android-devices.md

@@ -94,3 +94,11 @@ Use filters for devices to identify your shared devices and enable policies in t
 
 >[!NOTE] 
 > Some attributes such as **model**, **manufacturer**, and **operatingSystemVersion** can only be set when devices are managed by Intune. If your devices are not managed by Intune, use extension attributes.
+
+## Teams Legacy Authorization
+
+Teams upgrade configuration policies offer a setting called **BlockLegacyAuthorization** which when enabled prevents Teams Rooms on Android and Teams panels from connecting to Teams services. To learn more about this policy see, [Set-CsTeamsUpgradeConfiguration](/powershell/module/skype/set-csteamsupgradeconfiguration) or run Get-CsTeamsUpgradeConfiguration to check if **BlockLegacyAuthorization** is enabled in your tenant.
+
+   ``` Powershell
+   Get-CsTeamsUpgradeConfiguration | fl BlockLegacyAuthorization
+   ```

Teams/phones/authentication-best-practices-phones.md

@@ -98,3 +98,11 @@ Use filters for devices to identify your common-area devices and enable policies
 
 >[!NOTE]
 > Some attributes such as **model**, **manufacturer**, and **operatingSystemVersion** can only be set when devices are managed by Intune. If your devices are not managed by Intune, use extension attributes.
+
+## Teams Legacy Authorization
+
+Teams upgrade configuration policies offer a setting called **BlockLegacyAuthorization** which when enabled prevents Teams phones from connecting to Teams services. To learn more about this policy see, [Set-CsTeamsUpgradeConfiguration](/powershell/module/skype/set-csteamsupgradeconfiguration) or run Get-CsTeamsUpgradeConfiguration to check if **BlockLegacyAuthorization** is enabled in your tenant.
+
+   ``` Powershell
+   Get-CsTeamsUpgradeConfiguration | fl BlockLegacyAuthorization
+   ```

Teams/rooms/rooms-authentication.md

@@ -27,7 +27,7 @@ Microsoft Teams Rooms on Windows shares authentication component with Teams desk
 
 However, Teams Rooms on Windows have some key differences compared to an end user personal computer where Teams desktop runs. These differences may impact authentication configurations for Teams rooms.
 
-The key differences are as below:  
+## Key differences from the Teams Desktop application 
 
 1. Microsoft Teams Rooms resource accounts are centrally managed by IT administrators in an organization. End users don't have ability to sign in / out of Teams Rooms devices.
 1. Microsoft Teams Rooms use Microsoft Entra accounts that are configured with resources mailbox in Microsoft Exchange. 
@@ -36,4 +36,14 @@ The key differences are as below:  
 
 It’s important to note that Microsoft Teams Rooms resource accounts shouldn't be configured to use user interactive multifactor authentication (MFA), smart card authentication, or client certificate-based authentication.
 
+## Conditional Access Considerations
+
 Teams Rooms resource account access to Microsoft 365 service can be limited using Conditional Access policies. Since Windows has no knowledge of resource account that is used by Teams room application, to apply device-level conditional access policies, you must enroll Teams Rooms on Windows devices with Microsoft Intune. Learn more about [Enrolling Microsoft Teams Rooms on Windows devices with Intune](https://techcommunity.microsoft.com/t5/intune-customer-success/enrolling-microsoft-teams-rooms-on-windows-devices-with/ba-p/3246986). When the device is enrolled in Intune, the Teams Rooms application uses Windows enrolled account using Web access management (WAM) to send device compliance status for conditional access evaluation. To learn more about Conditional Access and Intune compliance policies, see [Conditional Access and Intune compliance for Microsoft Teams Rooms](/microsoftteams/rooms/conditional-access-and-compliance-for-devices) and [Supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms](/microsoftteams/rooms/supported-ca-and-compliance-policies?tabs=mtr-w)
+
+## Teams Legacy Authorization
+
+Teams upgrade configuration policies offer a setting called **BlockLegacyAuthorization** which when enabled prevents Teams Rooms on Windows from connecting to Teams services. To learn more about this policy see, [Set-CsTeamsUpgradeConfiguration](/powershell/module/skype/set-csteamsupgradeconfiguration) or run Get-CsTeamsUpgradeConfiguration to check if **BlockLegacyAuthorization** is enabled in your tenant.
+
+   ``` Powershell
+   Get-CsTeamsUpgradeConfiguration | fl BlockLegacyAuthorization
+   ```