You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Teams/teams-rooms-and-devices/teams-android-devices-conditional-access-issues.md
+19-15Lines changed: 19 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
2
title: Fix Conditional Access-related issues for Teams Android devices
3
-
description: Discusses how to exclude devices from Conditional Access policies or Intune device compliance policies that can prevent users from signing in to or using the Teams app on Android devices.
3
+
description: Discusses how to exclude devices from Conditional Access policies or Intune device compliance policies. These policies can prevent users from signing in to or using the Teams app on Android devices.
4
4
ms.reviewer: taherr
5
5
ms.topic: troubleshooting
6
6
ms.date: 05/26/2024
@@ -22,9 +22,9 @@ ms.custom:
22
22
23
23
## Symptoms
24
24
25
-
Conditional Access is a Microsoft Entra feature that helps make sure that devices that access corporate resources are correctly managed and secured. If Conditional Access policies are applied to the Microsoft Teams service, Android devices that access Teams must comply with the policies. Such devices include Teams phones, Teams displays, Teams panels, and Teams Rooms on Android. Otherwise, Conditional Access will prevent users from signing in to or using the Teams app on the devices.
25
+
Conditional Access is a Microsoft Entra feature that helps make sure that devices that access corporate resources are correctly managed and secured. If Conditional Access policies are applied to the Microsoft Teams service, Android devices that access Teams must comply with the policies. Such devices include Teams phones, Teams displays, Teams panels, and Teams Rooms on Android devices. Otherwise, Conditional Access prevent users from signing in to or using the Teams app on the devices.
26
26
27
-
If these policies are applied, you might experience one or more of the following issues on non-compliant devices:
27
+
If these policies are applied, you might experience one or more of the following issues on noncompliant devices:
28
28
29
29
- The devices can't sign in to Teams, or they get stuck in sign-in loops.
30
30
- The devices automatically sign out of Teams randomly.
@@ -36,7 +36,7 @@ These issues can occur for the following reasons:
If a device is marked as non-compliant, the Microsoft Entra token-issuing service stops renewing the tokens for the device object or even revokes the token. In this case, the device can't get an updated authentication token, and it's forced to sign out.
39
+
If a device is marked as noncompliant, the Microsoft Entra token-issuing service stops renewing the tokens for the device object or even revokes the token. In this case, the device can't get an updated authentication token, and it's forced to sign out.
40
40
41
41
To check the compliance status of your devices, use the [Intune Device compliance dashboard](/mem/intune/protect/compliance-policy-monitor).
42
42
@@ -50,11 +50,15 @@ These issues can occur for the following reasons:
50
50
51
51
## Resolution
52
52
53
-
Identify the specific cause of the issue by checking multiple details about the affected user's access to the Teams app. To perform the checks that are required, you can either use an automated option or run the checks manually by using the steps provided.
53
+
When you troubleshoot Conditional Access issues, start by checking the affected user’s sign-in details. Verify that the device meets policy requirements. These checks can be performed either through automated tools or manually, as outlined in the following sections.
54
+
55
+
As Microsoft Teams Android devices transition to **Intune AOSP device management**, administrators can take advantage of device attributes (such as `device.displayName`) in Conditional Access filters. This practice enables policies to be targeted more precisely, based on how devices are named.
56
+
57
+
The `device.displayName` attribute is especially useful because it includes the device manufacturer information early in the sign-in process, even before Intune completes full enrollment. After the device finishes enrollment, Intune also reports additional properties (such as updated display name, make, model, and compliance status) to Microsoft Entra. Because this reporting can take time, using `displayName` in your filter rules helps make sure that devices are correctly matched at the start of the process.
54
58
55
59
### Automated checks
56
60
57
-
The automated option is to run the [Microsoft Teams Rooms Sign in](https://testconnectivity.microsoft.com/tests/TeamsMTRDeviceSignIn/input) connectivity test in the Microsoft Remote Connectivity Analyzer tool. This tool is used to troubleshoot connectivity issues that affect Teams. The connectivity test performs checks to verify a specific user's permissions to sign in to Teams by using a Teams Rooms device.
61
+
To use the automatic option, run the [Microsoft Teams Rooms Sign in](https://testconnectivity.microsoft.com/tests/TeamsMTRDeviceSignIn/input) connectivity test in the Microsoft Remote Connectivity Analyzer tool. This tool helps you to troubleshoot connectivity issues that affect Teams. The connectivity test performs checks to verify a specific user's permissions to sign in to Teams by using a Teams Rooms device.
58
62
59
63
> [!NOTE]
60
64
>
@@ -63,14 +67,14 @@ The automated option is to run the [Microsoft Teams Rooms Sign in](https://testc
63
67
64
68
To run the connectivity test, follow these steps:
65
69
66
-
1.Open a web browser and navigate to the [Microsoft Teams Rooms Sign in](https://testconnectivity.microsoft.com/tests/TeamsMTRDeviceSignIn/input) connectivity test.
70
+
1.In a web browser, navigate to the [Microsoft Teams Rooms Sign in](https://testconnectivity.microsoft.com/tests/TeamsMTRDeviceSignIn/input) connectivity test.
67
71
1. Sign in by using the credentials of a Global Administrator account.
68
72
1. Specify the username for the account that can't access the Teams Rooms app.
69
73
1. In the **Device Selection** field, select a type for the affected user's device.
70
-
1. Enter the verification code that's displayed, and then **select Verify**.
74
+
1. Enter the verification code that's displayed, and then select **Verify**.
71
75
1. Select the checkbox to accept the terms of agreement, and then select **Perform Test**.
72
76
73
-
After the test finishes, the screen displays details about all the checks that were performed and whether the test succeeded, failed, or was successful but displayed a few warnings. Select the provided link for more information about the warnings and failures, and about how to resolve them.
77
+
After the test finishes, the screen displays details about all the checks that were performed and whether the test succeeded, failed, or was successful but displayed a few warnings. For more information about the warnings and failures, and about how to resolve them, select the provided link.
74
78
75
79
### Manual checks
76
80
@@ -83,7 +87,7 @@ To manually check user access to the Teams app, follow these steps:
83
87
-**Status**: Select **Failure**, and then select **Apply**.
84
88
-**Application**: Enter **Teams**, and then select **Apply**.
85
89
86
-
:::image type="content" source="media/teams-android-devices-conditional-access-issues/add-filters.png" alt-text="Screenshot of the Status and Application filters.":::
90
+
:::image type="content" source="media/teams-android-devices-conditional-access-issues/add-filters.png" alt-text="The Status and Application filters are available options to run a manual check on user access to the Teams app.":::
87
91
1. For the affected usernames, look for items that have the following **Application** values:
88
92
89
93
- Microsoft Teams
@@ -95,15 +99,15 @@ To manually check user access to the Teams app, follow these steps:
95
99
- Failure reason
96
100
- Additional Details
97
101
98
-
:::image type="content" source="media/teams-android-devices-conditional-access-issues/sign-in-details-basic-info.png" alt-text="Screenshot of the Basic info page of the sign-in activity details.":::
102
+
:::image type="content" source="media/teams-android-devices-conditional-access-issues/sign-in-details-basic-info.png" alt-text="The Basic info page of the sign-in page shows activity details.":::
99
103
1. If the sign-in error code seems to be related to compliance, select the **Conditional Access** tab, and then look for policies that show a **Failure** result.
100
104
101
-
:::image type="content" source="media/teams-android-devices-conditional-access-issues/sign-in-details-conditional-access.png" alt-text="Screenshot of the Conditional Access page of the sign-in activity details.":::
105
+
:::image type="content" source="media/teams-android-devices-conditional-access-issues/sign-in-details-conditional-access.png" alt-text="The Conditional Access page of the sign-in activity details shows policy compliance results.":::
102
106
1. Review the policy details.
103
107
104
-
:::image type="content" source="media/teams-android-devices-conditional-access-issues/conditional-access-policy-details.png" alt-text="Screenshot of the Conditional Access policy details.":::
After you identify the specific Conditional Access policy that's causing the issue, you can use [device filters](/azure/active-directory/conditional-access/concept-condition-filters-for-devices) to exclude the affected device from the policy. Commonly used device properties in device filters are *manufacturer* and *model*. These are used together with the *Contains*, *StartsWith*, and *In* operators.
110
+
After you identify the specific Conditional Access policy that's causing the issue, you can use [device filters](/azure/active-directory/conditional-access/concept-condition-filters-for-devices) to exclude the affected device from the policy. Some of the commonly used device properties in device filters are *manufacturer* and *model*. These properties are used together with the *Contains*, *StartsWith*, and *In* operators.
107
111
108
112
> [!NOTE]
109
113
>
@@ -113,7 +117,7 @@ After you identify the specific Conditional Access policy that's causing the iss
113
117
114
118
The following screenshot shows a sample device filter.
115
119
116
-
:::image type="content" source="media/teams-android-devices-conditional-access-issues/device-filter.png" alt-text="Screenshot of an example device filter.":::
120
+
:::image type="content" source="media/teams-android-devices-conditional-access-issues/device-filter.png" alt-text="Example of a device filter for a device object.":::
title: Troubleshoot errors when creating or switching to an AKS Automatic cluster
3
+
description: Learn how to resolve errors when creating or switching to an AKS Automatic cluster.
4
+
ms.date: 9/9/2025
5
+
ms.author: wangamanda
6
+
ms.service: azure-kubernetes-service
7
+
ms.custom: sap:Create, Upgrade, Scale and Delete operations (cluster or nodepool)
8
+
---
9
+
# Troubleshoot errors when creating or switching to an AKS Automatic cluster
10
+
11
+
This article provides guidance for resolving errors that occur when you create or switch to an Azure Kubernetes Service (AKS) Automatic cluster.
12
+
13
+
## Error 1: AKS Automatic could not find a suitable VM size.
14
+
15
+
### Symptoms
16
+
When you try to create an AKS Automatic cluster, you receive the following error message:
17
+
18
+
> AKS Automatic could not find a suitable VM size. The subscription may not have the required quota of '16' vCPUs, may have restrictions, or location $location may not support three availability zones for the following VM sizes: 'standard_d4lds_v5,standard_d4ads_v5,standard_d4ds_v5,standard_d4d_v5,standard_d4d_v4,standard_ds3_v2,standard_ds12_v2,standard_d4alds_v6,standard_d4lds_v6,standard_d4alds_v5'. Please request some quota for one of these candidate vm sizes in the target region or explicitly specify a vm-size with sufficient quota via --node-vm-size.
19
+
20
+
### Cause
21
+
This error message indicates that any of several problems exists: The subscription doesn't provide a sufficiently large quota of vCPUs assigned to virtual machines (VMs) or the location where the cluster is being created does not support three availability zones. Without a sufficient quota, the system pool for the AKS Automatic cluster can't be created.
22
+
23
+
### Solution
24
+
To resolve this error, try one of the following fixes:
25
+
-[Increase the regional vCPU quota](/azure/quotas/regional-quota-requests#increase-a-regional-vcpu-quota) for one of the listed vm sizes.
26
+
- Deploy the cluster in a different region that has an existing quota that accommodates one of these VM sizes.
27
+
- If you're using Azure CLI, specify the VM size by using `--vm-sizes`.
28
+
29
+
## Error 2: Automatic SKU is not supported in this region.
30
+
31
+
### Symptoms
32
+
When you try to create an AKS Automatic cluster, you receive the following error message:
33
+
34
+
> Automatic SKU is not supported in this region.
35
+
36
+
### Cause
37
+
This error indicates that you can't create AKS Automatic clusters in regions where [API Server VNet Integration](/azure/aks/api-server-vnet-integration#limited-availability) isn't generally available.
38
+
39
+
### Solution
40
+
Create the clusters in regions where [API Server VNet Integration](/azure/aks/api-server-vnet-integration#limited-availability) is generally available.
41
+
42
+
## Error 3: Managed cluster 'Automatic' SKU should set taint 'CriticalAddonsOnlyNoSchedule' for the system node pool.
43
+
44
+
### Symptoms
45
+
When you remove the 'CriticalAddonsOnlyNoSchedule' taint from the system node pool of an AKS Automatic cluster, you receive the following error message:
46
+
47
+
> Managed cluster 'Automatic' SKU should set taint 'CriticalAddonsOnlyNoSchedule' for the system node pool.
48
+
49
+
### Cause
50
+
Removing the 'CriticalAddonsOnlyNoSchedule' taint from the system node pool of an AKS Automatic cluster is not allowed.
51
+
52
+
### Solution
53
+
This behavior is by design. 'CriticalAddonsOnlyNoSchedule' keeps system add-ons running on the system node pool instead of on the user node pool.
54
+
55
+
## Error 4 - Managed cluster 'Automatic' SKU should enable $feature_name feature with recommended values.
56
+
57
+
### Symptoms
58
+
When you try to update an existing AKS cluster from the "Base" SKU to the "Automatic" SKU, you receive the following error message:
59
+
60
+
> Managed cluster 'Automatic' SKU should enable $feature_name feature with recommended values. The feature name will vary based on the feature that has not been enabled.
61
+
62
+
### Cause
63
+
When you update an existing AKS cluster from "Base" to "Automatic," [all AKS Automatic features](/azure/aks/intro-aks-automatic) must first be enabled on the Base cluster.
64
+
65
+
### Solution
66
+
Enable the specific feature that's mentioned in the error message before you update the cluster to "Automatic." Some of the required features include, but aren't limited to, the following features:
67
+
68
+
-[Azure Linux OS](/azure/azure-linux/intro-azure-linux)
69
+
-[Availability zones](/azure/reliability/regions-list): AKS Automatic clusters require deployment in Azure regions that support at least three availability zones.
70
+
-[Node auto provisioning](/azure/aks/node-autoprovision)
71
+
72
+
## Error 5 - Managed cluster 'Automatic' SKU should use Standard tier.
73
+
74
+
### Symptoms
75
+
When you try to update an existing AKS cluster from the "Base" SKU to the "Automatic" SKU, you receive the following error message:
76
+
77
+
> Managed cluster 'Automatic' SKU should use Standard tier.
78
+
79
+
### Cause
80
+
AKS Automatic offers only one tier: Standard.
81
+
82
+
### Solution
83
+
Before you update an existing AKS cluster from "Base" to "Automatic," make sure that it's [set to the "Standard" tier](/azure/aks/free-standard-pricing-tiers#update-an-existing-cluster-from-the-free-tier-to-the-standard-tier).
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments