Help

MS Teams keeps asking users to sign in when opening from screen lock

kevin_boyd
New Contributor III

2 weeks ago

We have migrated to a new instance of JAMF Pro. Our previous instance used conditional access through Intune but now we are using device compliance through Entra. It has went smooth for the most part but there have been some hiccups but I have been able to solve most of them. The issue that some users see is if they leave the device and come back and login back in to the device Teams will have a pop up asking them to sign back in. Usually they are to get back in with no issues but it happens all of the time. I checked MS SSO extension and made some changes but I am still seeing some of the same behavior in my test group. I have done some research and I have cleared Teams cache, deleted Team identities keychain uninstalled company portal, ran MS extension repair and none of that seems to work. We have a ticket in with support and I am waiting to hear back form them. In the mean time has anybody run into an issue like this recently?

0 Kudos
Reply
14 REPLIES 14

howie_isaacks
Valued Contributor III

2 weeks ago

For new installs of Teams do users need to login manually? We distribute a profile to all Macs that logs in all the Office apps with the user's Microsoft account. That may solve this.

0 Kudos
Reply

AJPinto
Esteemed Contributor
In response to howie_isaacks

2 weeks ago

I was under the impression that unless you used PSSO, that the user still had to log in to at least one Microsoft service (like entra registration for device compliance) to authenticate the rest of the Microsoft products. 

0 Kudos
Reply

kevin_boyd
New Contributor III
In response to AJPinto

2 weeks ago

That is correct. Our users sign into Entra for device compliance but what happens after that is when Teams is idle during the screen lock the users are signed out of Teams and when they log back into their device it asks them to sign back in. I will have to post a screenshot when I get the chance

0 Kudos
Reply

kevin_boyd
New Contributor III

2 weeks ago

Is that through JAMF Connect?

0 Kudos
Reply

kevin_boyd
New Contributor III

2 weeks ago

This is what my users see when they log back into their macbook after being awayScreenshot 2025-06-27 at 8.10.10 AM.png

0 Kudos
Reply

mvu
Valued Contributor III
In response to kevin_boyd

2 weeks ago

We saw that recently too. Any changes to Device Compliance in Entra?

Do you use Microsoft Platform SSO? Once we had our users register successfully, this banner went away.

0 Kudos
Reply

kevin_boyd
New Contributor III
In response to mvu

2 weeks ago

We use MS Platform SSO. Usually if we check Entra the device still shows as compliant. Before we started using Entra this was not an issue

0 Kudos
Reply

mvu
Valued Contributor III
In response to kevin_boyd

2 weeks ago

Not an Entra expert, but can check "include" and "exclude" around here in Entra:

• conditional access policy in EntraSign-in frequency and No persistent browser session

• Sign-in frequency and No persistent browser session

• Device platforms - macOS are included? 

0 Kudos
Reply

kevin_boyd
New Contributor III
In response to mvu

2 weeks ago

macOS is included.  I think the issue lies with the 1st two bullet points. I plan on reaching out to our Entra admin to check 

  • "Sign-in frequency: every 1 hour"
  • "Require reauthentication on non-compliant devices"
0 Kudos
Reply

mvu
Valued Contributor III
In response to kevin_boyd

2 weeks ago

Cool. Let us know what you find. Learning more about this myself, so it'll be helpful.

Reply

kevin_boyd
New Contributor III
In response to mvu

2 weeks ago

I will definitely post what I find out

0 Kudos
Reply

howie_isaacks
Valued Contributor III

2 weeks ago

These PLIST payloads may help deployed using a profile. 

com.microsoft.office

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>ShowWhatsNewOnLaunch</key>
	<false/>
	<key>DiagnosticDataTypePreference</key>
	<string>BasicDiagnosticData</string>
	<key>OfficeActivationEmailAddress</key>
	<string>$EMAIL</string>
	<key>OfficeAutoSignIn</key>
	<true/>
</dict>
</plist>

 

com.microsoft.Outlook

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>EnableNewOutlook</key>
	<integer>2</integer>
	<key>DefaultEmailAddressOrDomain</key>
	<string>$EMAIL</string>
	<key>AutomaticallyDownloadExternalContent</key>
	<integer>2</integer>
</dict>
</plist>

 I did not create these. The person who had my job before me implemented all this. When we deploy a fresh new or erased and reinstalled Mac and enroll it, the user gets automatically logged into Office, Teams, and OneDrive. No one ever needs to enter their login credentials. We are using a Kerberos single sign-on extension but I will soon deploy platform single sign on.

Reply

kevin_boyd
New Contributor III
In response to howie_isaacks

2 weeks ago

Thanks I will try these out

0 Kudos
Reply

kevin_boyd
New Contributor III

2 weeks ago

Just as an update on this. I haven't quite resolved this yet it seems that the Teams access token is set for 1 hr by default and that may be causing the issue. I tested it out let my macbook sleep for 30 minutes and there were no issues.  I waited 1 hr and when I first logged in Teams was fine but after about 1 minute it asked me to sign back in. JAMF support checked my logs and they are asking if we can change the access token time frame as well. 

0 Kudos
Reply