MCAS [Activity Policy] Log on from an outdated browser - current Teams client triggers alert

%3CLINGO-SUB%20id%3D%22lingo-sub-2731084%22%20slang%3D%22en-US%22%3EMCAS%20%5BActivity%20Policy%5D%20Log%20on%20from%20an%20outdated%20browser%20-%20current%20Teams%20client%20triggers%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2731084%22%20slang%3D%22en-US%22%3E%3CP%3ETLDR%3A%20Microsoft%20Teams%20client%20triggers%20'Log%20on%20from%20an%20outdated%20browser'%20alert%20policy%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%409839A717402516D64549B98324F4F0C1%2Fimages%2Femoticons%2Fsad_40x40_1.gif%22%20alt%3D%22%3Asad%3A%22%20title%3D%22%3Asad%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20enabling%20the%20MCAS%20-%20Activity%20Policy%20-%20'Log%20on%20from%20an%20outdated%20browser'%20our%20current%20up-to-date%20desktop%20Teams%20client%20triggers%20the%20alert.%20I%20spent%20quite%20some%20time%20with%20the%20user%20discussing%20their%20configuration%20and%20thankfully%20a%20colleague%20correlated%20the%20'Sign-in%20Logs'%20from%20the%20AAD%20blade%20and%20we%20could%20see%20the%20below%20'User%20Agent's%20from%20the%20same%20workstation%3A%3C%2FP%3E%3CUL%3E%3CLI%3EMozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Teams%2F1.4.00.22472%20Chrome%2F85.0.4183.121%20Electron%2F10.4.3%20Safari%2F537.36%3C%2FLI%3E%3CLI%3EMozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F92.0.4515.159%20Safari%2F537.36%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThe%20latest%20production%20release%20of%20Teams%20is%20'Teams%2F1.4.00.22472'%20and%20it%20is%20evidently%20running%20Chrome%2F85.0.4183.121%20(Chromium)%20in%20the%20back%20end%20which%20is%20flagged%20in%20the%20'User%20agent%20tags'%20of%20the%20alert%20as%20'Outdated%20browser'.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20default%20template%20should%20exempt%20this%20use%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKnowing%20the%20above%20I've%20attempted%20to%20add%20an%20additional%20filter%20'User%20Agent%20String'%20and%20'does%20not%20contain'%20'Teams'%20-%20this%20has%20no%20affect%20on%20the%20results%20leaving%20me%20with%20the%20suspicion%20that%20the%20full%20user%20agent%20string%20as%20above%20is%20not%20passed%20through.%20If%20this%20is%20the%20case%20then%20why%20is%20it%20an%20available%20filter%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20be%20great%20to%20see%20this%20addressed%20or%20advice%20on%20what%20I've%20missed%20to%20get%20this%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2731084%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

TLDR: Microsoft Teams client triggers 'Log on from an outdated browser' alert policy :sad:

 

After enabling the MCAS - Activity Policy - 'Log on from an outdated browser' our current up-to-date desktop Teams client triggers the alert. I spent quite some time with the user discussing their configuration and thankfully a colleague correlated the 'Sign-in Logs' from the AAD blade and we could see the below 'User Agent's from the same workstation:

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.4.00.22472 Chrome/85.0.4183.121 Electron/10.4.3 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36

The latest production release of Teams is 'Teams/1.4.00.22472' and it is evidently running Chrome/85.0.4183.121 (Chromium) in the back end which is flagged in the 'User agent tags' of the alert as 'Outdated browser'.

 

The default template should exempt this use case.

 

Knowing the above I've attempted to add an additional filter 'User Agent String' and 'does not contain' 'Teams' - this has no affect on the results leaving me with the suspicion that the full user agent string as above is not passed through. If this is the case then why is it an available filter?

 

It would be great to see this addressed or advice on what I've missed to get this working.

 

Thanks

0 Replies
www.000webhost.com