Entra hybrid join issue caused maybe by 2 M365 accounts
Hello to everyone, one of my collegue has 2 Microsoft 365 accounts on its notebook when we tried to do the procedure to hybrid join his device; I suppose the other account give us problem in the procedure; now, there is only one account even if I can see in event log, in AAD log, that there is an error and 2 warnings bound to the old account. However, I tried to repeat the procedure but without any luck; what I see that it is different from the other devices, if I give the cmd dsregcmd /status is in these 2 lines: DisplayNameUpdated : YES OsVersionUpdated : YES while on other devices I see: DisplayNameUpdated : Managed by MDM OsVersionUpdated : Managed by MDM We have all a Microsoft 365 Business subscription and the configuration and steps for the other devices was: We have all devices with Entra registered user, we started with this when we have only the Microsoft 365 Basic subscription We enrolled all devices, with group policy, in MDE when we upgraded to the business Installed the Azure AD Connect Users sync Devices sync So, in the Entra portal we have first only the entry for registered, then when we synced the devices we have a second entry with hybrid registered and finally only one entry with Owner, MDM and Settings field filled with correct data; for example, when I make an hybrid join device, initially in the row I see MDE as MDM, then when the hybrid and registered compose one row I see Intune in that field. For the device that give us problems, I see a row like this in Entra portal while in Intune Any help is greatly appreciated.
Entra Private Access Licensing
I'm a bit stuck trying to figure out what licensing we need to get us working on BYOD devices such as iPads if we want to use the Private Access part of Global Secure Access. A few places on Microsoft's website mention that as long as we have an Entra ID P1 or P2 license and a Private Access license assigned to a user, we should be able to enrol mobile devices without any issues. However, when I try to sign into MS Defender on an iPad (tried 2 different ones), I get an error saying invalid license. One of the users I am currently testing has an Office 365 E3 license assigned as well. Where am I going wrong?Q: Restricting access to Business Web Application/Non-Enterprise Application
Hi all, We are in the middle of moving our on-prem infrastructure to Intune and more specifically, building out conditional access policies. All but one of our business applications have been straightforward with the process to limit access unless certain conditions are met from an authentication, device, or location compliance perspective. The one business application we are needing to find a solution for is a web-based application that we do not control outside of user administration and limited-customization. Typically this would be fine if SSO was leveraged, but this web application, unfortunately and not without several conversations with the developers due to the sensitive nature of the data being stored, does not have SSO on their roadmap. Users can access this application from any web browser using their username and password credentials and an application specific 2FA process using SMS code. There is no connection between our MS tenant and this web application. Due to the sensitive nature of the information stored within this application and the availability of this application from any device with a web browser has raised my antenna with security concerns. Especially in the case of a user downloading information from this site on their BYOD mobile device as they would may need to do in the course of their duties, but if they left the organization, we have no way of wiping that data through the removal of the work profile like we do with all other work data through Intune device compliance measures. We can limit what devices are allowed to connect to work resources (Complaint) and access work applications (all but one, and they need to be compliant to do so), but is there a way to not allow the personal profile of any BYOD device that is compliant, from accessing or logging into this specific URL in any browser from the personal profile web browser?
Some users repeatedly prompted for MFA
All our devices are Intune joined. MFA turned on with a conditional access policy: Grant Access to: Require multifactor authentication; Session only configured Sign in frequency: x days. When majority users sign in apps without any issue, and only required to re authenticated with MFA after the defined x days. We have a small group of users are asked to MFA every time they opens a new app. Intune indicates these users' computers "Compliant". However, Entra - Monitoring - Signin logs shows: The same monitoring for other users, Authentication Details are "previously satisfied'. For these users, even they are working on the same app on a desktop, they are still returned with "Mobile app notification" and therefore are asked to MFA: DSREGCMD /status returns some different Diagnostic Data results to other devices without MFA issues: Last HostName Update : NONE. ********************************************************************* +----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+ AzureAdJoined : YES EnterpriseJoined : NO DomainJoined : NO Virtual Desktop : NOT SET Device Name : [COMPUTER_NAME] +----------------------------------------------------------------------+ | Device Details | +----------------------------------------------------------------------+ DeviceId : [COMPUTER_ID] Thumbprint : [COMPUTER_THUMBPRINT] DeviceCertificateValidity : [ 2023-08-05 04:25:23.000 UTC -- 2033-08-05 04:55:23.000 UTC ] KeyContainerId : [COMPUTER_KEYCONTAINERID] KeyProvider : Microsoft Platform Crypto Provider TpmProtected : YES DeviceAuthStatus : SUCCESS +----------------------------------------------------------------------+ | Tenant Details | +----------------------------------------------------------------------+ TenantName : [TENANTNAME] ... ... ... +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ NgcSet : NO WorkplaceJoined : NO WamDefaultSet : YES WamDefaultAuthority : organizations WamDefaultId : https://login.microsoft.com WamDefaultGUID : [...] (AzureAd) +----------------------------------------------------------------------+ | SSO State | +----------------------------------------------------------------------+ AzureAdPrt : YES AzureAdPrtUpdateTime : 2024-09-03 23:32:02.000 UTC AzureAdPrtExpiryTime : 2024-09-17 23:32:01.000 UTC AzureAdPrtAuthority : [...] EnterprisePrt : NO EnterprisePrtAuthority : OnPremTgt : NO CloudTgt : YES KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342 +----------------------------------------------------------------------+ | Diagnostic Data | +----------------------------------------------------------------------+ AadRecoveryEnabled : NO Executing Account Name : AzureAD\[USERNAME], [USEREMAILADDRESS] KeySignTest : PASSED DisplayNameUpdated : Managed by MDM OsVersionUpdated : Managed by MDM HostNameUpdated : YES Last HostName Update : NONE +----------------------------------------------------------------------+ | IE Proxy Config for Current User | +----------------------------------------------------------------------+ Auto Detect Settings : YES Auto-Configuration URL : Proxy Server List : Proxy Bypass List : +----------------------------------------------------------------------+ | WinHttp Default Proxy Config | +----------------------------------------------------------------------+ Access Type : DIRECT +----------------------------------------------------------------------+ | Ngc Prerequisite Check | +----------------------------------------------------------------------+ IsDeviceJoined : YES IsUserAzureAD : YES PolicyEnabled : NO PostLogonEnabled : YES DeviceEligible : YES SessionIsNotRemote : YES CertEnrollment : none PreReqResult : WillNotProvision ************************************************************************** Can someone help here and shade some light on the issue.
App Proxy Pre-Authentication
Hi there, I just setup a NDES + SCEP on our infrastructure and all is working well so far but I was wondering If it is possible to allow only Entra Joined devices (intune managed) to it instead of Entra ID auth (user auth) or passthrough. I tried with conditionnal access policies with no luck so far. Thanks !EntraID account on Windows 11 being started under a TEMP user profile
I have a EntraID user on Windows 11 (Intune Managed). User is the "primary user". The user started experiencing login issues where "user name or password not recognized". Password was reset in EntraID. PC recognized the new password and allows the user to login BUT the account profile is mapped to C:\Users\TEMP and not to their normal C:\Users\<UserName> profile. How do I reconnect the user with their profile?Issues registering devices for certain users in Entra ID
Recently I've come across a very weird issue within Intune and Entra ID. We use Enterprise Mobility + Security E3 for all users that will be enrolling devices to Intune. Our organizations devices setting within Entra is set to Allow all users to register devices, and have up to 50 devices per user. During initial setup for their IOS profiles, I used a test account with Microsoft Business standard license and Enterprise Mobility + Security E3. I was able to enroll the iPhone to Intune, and register the device by logging into the company portal app with no issues. However, now that testing is complete, I started working with some of the management team to get their devices setup. Our first test user has enrolled the phone successfully to Intune, but when they login to company portal, the device does not register to their Entra account. I have verified they have the Microsoft Business standard license and Enterprise Mobility + Security E3. I even had them test using a personal device, and this is not registering to their profile either. I am at a complete loss. It is important we get device registration working as we are wishing to use Conditional access to restrict non-registered devices from accessing O365 applications. Any help or guidance is greatly appreciated.
'Single Factor Authentication' after Intune device enrollment
Hello, We have MFA enforced for all employees through Conditional access. Recently, we started enrolling our company laptops (Windows and Mac) to Intune and also setup 'Windows Hello for Business' as a login method. I noticed that after the enrollment, the user sign in attempts are showing as 'single factor authentication' in the Entra ID sign in logs. Also, it says that there's no conditional access policies getting applied even though we have several CA policies about MFA, session controls etc. I did some research and found out that this is due to Windows Hello for Business. My question is, what is the right course of action here? I'm getting messages on the CA policy page that the users are logging in without any policy coverage which concerns me a bit even though I know we have all the policies set in place. Any advice would be appreciated.
How to disable automatic BitLocker implementation when using Autopilot OOBE experience to join a dev
Hello, At my company, our workstations are not joined to the domain and are managed by Workspace ONE. I would like to join these workstations to Entra ID to use Microsoft accounts to authenticate. However, I will also be using Autopilot to have the OOBE and join the workstations directly. Workspace ONE will be added as an MDM to Entra ID and deployed when provisioning the PCs. I noticed that BitLocker will be enabled automatically, and the recovery keys will be synced to Entra ID. In my case, I want Workspace ONE to manage the BitLocker keys. How can I disable BitLocker so that when joining the workstations to Entra ID, Workspace ONE will be downloaded and will manage the keys? Thank you.
Unable to join Windows 11 Enterprise (23H2) VM to AAD
Hello, We have 600+ laptops Windows 11, that are successfully AAD joined. When I try to join a Windows 11 Enterprise (23H2) VMs to AAD, it fails. The laptops use Autopilot. After a bit of reading, VMs don't support autopilot. So I wanted to join them using a work account login after a refresh and during initial setup. This fails with an error 80180014. It is trying to join as a personal device. We don't allow personal device join. So I create a local account and tried to register in Settings>Account>Email & accounts. I was getting the same error 80180014. I opened a case with MS and eventually suggested I create a user that have the Enrollment Manager role. I am now able to join the VM to AAD with the Enrollment Manager role. But why did I need to do this? Our laptops join with no issues and didn't need the enrollment manager role. Is there an easier way to join VMs to AAD? All VMs for now are on-prem VMs. We will be migrating to cloud VMs at the end of the year or early next year. Thank you, Scott
