I recently had the privilege of configuring a batch of Microsoft Surface Hub 2S’ for a customer. As the customer were already adopting InTune we opted for that approach for the configuration.
One of the things that needed to be addressed was the usage of Skype for Business as the primary communication method on the device. The Microsoft documentation directed me to a blog post containing all the necessary steps in InTune.
After the deployment Teams was featured on the start screen of the devices upon launching the application however only a black bar was displayed. After checking the configuration again and looking online I found a couple of suggested solutions:
- The device account doen’t have a Teams license
- The device needs to be in Insider
None of these however turned out to be the cause of my issues. While double-checking the license assignment in Azure AD I happened to have a look at the sign -in logs for the account.
In the sign-in logs you could see the device trying to log in to Teams every couple of minutes and failing to do so. The error:
- Sign-in error code: 50097
- Failure reason: Device Authentication Required – DeviceId -DeviceAltSecId claims are null OR no device corresponding to the device identifier exists.
Upon further inspection it was clear that the device was struck by a newly implemented conditional access policy. After adding the device accounts as an exception Teams started just fine.
Best practice would be to create a specific Conditional Access policy for the Surface device accounts that allows sign-in without MFA from office IP-addresses but completely blocking access from any other location.