Teams Room accounts are usually excluded from conditional access. To do so, they have to be in a security group, which of course we don’t want to do manually.<\/p>\n\n\n\n
Most companies choose to use a naming standard and simply use that as a rule to create an exclusion group. This is easy to circumvent, I can create a guest user \/ get invited with the right name et voila zero CA policies!<\/p>\n\n\n\n
A better way is to identify the accounts based on their assigned licenses, e.g. Teams Rooms Basic (6af4b3d6-14bb-4a2a-960c-6c902aad34f3). This, however, is not supported as an Azure AD group membership rule as this is stored in the AssignedLicenses property which will throw an “Unsupported Property” error. <\/p>\n\n\n\n
The assignedPlans property however does contain the GUID we need. <\/p>\n\n\n\n
The following Azure AD Group dynamic membership rule only matches users that have a Teams Room Basic, Teams Room Standard or Teams Room Pro license:<\/p>\n\n\n\n
(\n\t(\n\t\tuser.assignedPlans -any (\n\t\t\tassignedPlan.servicePlanId -eq \"8081ca9c-188c-4b49-a8e5-c23b5e9463a8\"\n\t\t\t-and \n\t\t\tassignedPlan.capabilityStatus -eq \"Enabled\"\n\t\t)\n\t) -or \n\t(\n\t\tuser.assignedPlans -any (\n\t\t\tassignedPlan.servicePlanId -eq \"ec17f317-f4bc-451e-b2da-0167e5c260f9\"\n\t\t\t-and \n\t\t\tassignedPlan.capabilityStatus -eq \"Enabled\"\n\t\t)\n\t) -or \n\t(\n\t\tuser.assignedPlans -any (\n\t\t\tassignedPlan.servicePlanId -eq \"92c6b761-01de-457a-9dd9-793a975238f7\"\n\t\t\t-and \n\t\t\tassignedPlan.capabilityStatus -eq \"Enabled\"\n\t\t)\n\t)\n) -and not (\n\tuser.assignedPlans -all (assignedPlan.servicePlanId -eq \"\")\n)<\/code><\/pre>\n\n\n\nif you want to do something similar for other licenses, here are the options\/combinations:<\/p>\n\n\n\n
https:\/\/github.com\/MicrosoftDocs\/entra-docs\/blob\/main\/docs\/identity\/users\/licensing-service-plan-reference.md<\/a><\/p>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Teams Room accounts are usually excluded from conditional access. To do so, they have to be in a security group, which of course we don’t want to do manually. Most companies choose to use a naming standard and simply use that as a rule to create an exclusion group. This is easy to circumvent, I … Continue reading Dynamic membership rule for Teams Room accounts<\/span>