Share via

Block Teams resource account sign in to Microsoft 365 clients

As a Microsoft 365 admin, you want to protect and secure your business environment. Baseline security mode helps you protect and secure your organization.

In this article, you'll learn how to restrict Teams Rooms resource account authentication using conditional access policies to ensure accounts authenticate only on managed Teams Rooms on Windows devices.

Prerequisites

To configure these settings, your organization must have one of the following subscriptions or add-ons:

  • Entra ID Premium P1/P2 (for dynamic groups & Conditional Access)
  • Microsoft Entra ID Governance (for Access Packages)
  • Microsoft Intune (for device compliance and enrollment)

You must be a member of the following roles to perform these tasks:

Step 1: Tag resource accounts using extension attributes

Tag resource accounts (for example, conference room, Teams Rooms) from regular user accounts using an Entra ID extension attribute.

  1. Choose an extension attribute (for example, extensionAttribute2) and a reserved value (for example, -3) to mark all resource accounts.
  2. Set the attribute when creating new accounts:

  • Go to the Exchange admin center > Mail > Mailbox Features > Custom attributes, set extensionAttribute2 = -3.

  • Bulk-update existing accounts (if needed) by using Microsoft Graph to locate existing resource accounts and set the attribute in bulk.

Step 2: Build a dynamic group for resource accounts

Automatically group all tagged resource accounts for policy assignment. Create a dynamic group called MTR_Resource_Accounts. The group is required to apply conditional access policies.

  1. Go to the Entra ID admin center > Groups > New group.
  2. Select Security as the group type and add a name.
  3. Under Membership type, choose Dynamic User and add a rule: (user.extensionAttribute2 -eq "-3").
  4. Review and create the group.

Step 3: Configure access packages for device enrollment

Allow resource accounts to complete Entra join of Teams devices in a controlled, limited-time window.

Setup security group for access package

  • Create Entra security group for Entra join called MTR_DeviceSetup.
  • Create Entra security group for Entra join called MTR_DeviceFull.

Allow resource accounts to complete Entra join of Teams devices in a controlled, limited-time window.

  1. In Microsoft Entra ID > Identity Governance > Access packages, create two packages:
  • MTR Device Setup (one-time, limited duration)
  • MTR Device Full (persistent membership for deployed devices)
  1. For MTR Device Setup:
  • Resource roles: Assign the MTR_DeviceSetup group Requests: Require two-step approval (local IT manager + global admin).
  • Duration: Configure a short access window (for example, 1 day) for Entra join. Under Lifecycle -> Expiration set the Access package assignments expire = "Number of days" and set number of days = 1.
  • Users who can request access: For users in your directory and select Specific users and groups.
  • Select users and groups: set to MTR_Resource_Accounts dynamic group.
  1. For MTR Device Full:
  • Resource roles: Assign the MTR_DeviceFull group
  • Requests: Require two-step approval (local IT manager + global admin).
  • Duration: Access package assignments expire = "Never"
  • Users who can request access: For users in your directory and select Specific users and groups.
  • Select users and groups: set to MTR_Resource_Accounts dynamic group.

Step 4: Tag approved devices via extension attributes

Mark each successfully Entra joined Teams device to verify it's approved.

  1. As part of the Access Package workflow (upon successful Entra join), use an Entra ID provisioning action or Azure Automation runbook to set a device extension attribute (for example, extensionAttribute2 = "MTR_Approved").
  2. Confirm in Azure AD > Devices that the attribute appears on the device object.
  3. When the device is removed from MTR Device Full, remove the device object extension attribute.
  4. Confirm in Azure AD > Devices that the attribute is removed on the device object when removed from MTR Device Full access package.

Step 5: Conditional access policies

Deploy two key Conditional Access (CA) policies to enforce compliance.

Policy Name Conditions Grant Controls
Resource Accounts on Managed Devices * Users: Dynamic group MTR_Resource_Accounts
* Cloud apps: All Microsoft 365 apps
* Device: device.extensionAttribute2 -eq "MTR_Approved"		 Grant access only if device is compliant and Entra joined
Compliant Devices Only * Users: All users
* Cloud apps: All Microsoft 365 apps
* Device state: Intune compliant		 Require device to be marked compliant via Intune
Require multifactor authentication * Users: All users
* Cloud apps: All Microsoft 365 apps
Exclusion group: MTR_DeviceSetup		 Require multifactor authentication except for devices in exclusion group to allow MTR to Entra join

Note

Enforce multifactor authentication on all sign-ins as a tenant-wide prerequisite.

Step 6: Verify and test

  1. New Resource Account
    • Create a test conference room account, verify the extension attribute is set.
    • Confirm membership in MTR_Resource_Accounts.
  2. Device Enrollment
    • Request the MTR Device Setup access package for the test account.
    • Within the approval window, perform Azure AD join on a Teams device.
    • Verify device object is tagged MTR_Approved.
  3. Sign-In Tests
    • On the joined device, sign in to Teams/M365 with the resource account - Allowed.
    • On a non-joined device, attempt sign-in with the same resource account - Blocked.
    • On any device with a personal user account - Allowed (assuming compliance/MFA).
  4. Sign-In Tests
    • Remove device from MTR Device_Full access package for when a Teams device is retired/decommissioned.
    • Attempt sign in from the device and ensure it's blocked.

Best practices

  • Review dynamic group rules periodically to ensure extension attribute schema remains accurate.
  • Rotate extension attribute values if compromised, update dynamic group rules accordingly.
  • Audit Access Package assignments monthly for orphaned or stale approvals.
  • Document multifactor authentication enforcement for all accounts as a mandatory security practice.
  • Last updated on