We have a Microsoft Teams integration configured in ServiceNow. During the initial setup, our IT team configured the Teams app registration and deployed the ServiceNow manifest.

We are currently facing an issue where a user receives the following error when attempting to start a Teams chat from the Collaborate panel:

"Invalid Access token. Please check your credential alias."

ServiceNow Support investigated the issue and confirmed that:

• The OAuth credential exists and is active.

• The Teams integration is working for other users.

• Microsoft returns the error:
  AADSTS135011 – Device used during authentication is disabled/non-compliant.

ServiceNow Support indicated that the issue is unlikely to be related to the ServiceNow manifest, app registration, or tenant configuration and suggested investigating the issue from the Microsoft Entra ID side.

Our question is:

Since the Teams integration and manifest were configured centrally by our IT team, should this issue be investigated by:

1. The IT team that configured the Teams integration and app registration, or

2. The affected user's local IT/Microsoft Entra ID support team?

Has anyone encountered a similar scenario where AADSTS135011 affected only specific users, and who was responsible for resolving it?