Forum Widgets
Latest Discussions
Kid finds a way into my account using an old PIN
I have set up parental controls. Somehow my sone managed to find the password logged in the Microsoft Familly app and changed the settings at will. I have changed my password in the meantime but he found an easy way around it as he selects use other methods to sign in and then selects PIN, inputs my old PIN and he is back in. How is this possible? I have changed the password, I have changed the PIN, turned on 2FA and reset Windows Hello and he just goes around all this in one go by introducing my old PIN. Is there a fix for this ?
Disable Windows Hello AND Remove Existing PIN
Previously, after setting up Windows for an Azure AD user, it would give me a prompt saying that my organization requires a PIN for Windows Hello. I would hit next, then close the dialog asking for the PIN, and it would say there was an error or something, I'd hit OK and I'd be in Windows with no further Windows Hello harassment until I restarted. Once I got the device enrolled in Intune, it would apply the policy I have a policy that disables Windows Hello. However, a recent update to Windows seems to have made it impossible to bypass setting up a PIN. Because I can't enroll the device in Intune during the Windows Setup, the disable policy doesn't apply until after the PIN is established on the account. Once the PIN is set up on a Windows Account, it is not removed when Windows Hello is disabled via Intune/GPO, and it is seemingly impossible to remove manually. The only lead I've been able to find is to delete this folder: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC\. However, Windows simply is not letting that happen, even after taking full ownership of the folder as a local admin. My only workaround is to first setup the device authenticating with my own account which will have the PIN. Then enroll in Intune with the user's account to their policies applied and Hello disabled. Then create the local admin account. Then add the users account. Then log into the local admin account and delete my account. Finally, log into the users account to create shortcuts and do QA. We use Bitlocker with a PIN that effectively does the same thing as Windows Hello with a PIN, except it also encrypts the disk. So I really don't see what it brings to the table besides a redundant password for users to memorize and extra help desk work when they forget it? How do I get devices configured without adding a bunch of work to get around Windows Hello?Global Secure Access client - connection problems
We have permanent problems connecting our Windows Clients with the GSA Client. The Health Check shows among other things, "No Hyper-V external virtual switch detected. : False" The Client has no Hyper-V Network adapter or Service installed. Very strange. Other Windows event Log entries are: - Device token acquisition failed with the following error: Failed receiving token due to network unreachable. - User token acquisition failed with the following error: WTSQueryUserToken failed with error code 1008. - Error occurred while requesting a new forwarding profile: Der angegebene Host ist unbekannt. (aps.globalsecureaccess.microsoft.com:443). Request Parameters: Microsoft Entra Device ID:Passwordless failing on Work Profile Authenticator
Seeing an odd issue when attempting to enable passwordless using the Microsoft Authenticator app on an Android phone. The policy is definitely applying as we're seeing other indicators such as geo location and app information in the MFA request, but when we attempt to enable passwordless for that account it returns "Device not registered". Device is corporate in Intune and showing recent last checking time. When we use the Authenticator App outside of the work profile it works fine. Possibly an App Protection policy causing it to fail? Although I don't see Microsoft Authenticator in the list of apps targeted by App Protection policy. Also our CA policy indicates "one of" for corporate or require app protection policies and the device is definitely enrolled using work profile. Anyone else come across this or have ideas?
Prefill Username for Authentication
Good morning, We have a landing page for two different tenants with different domains. For example, xyz.com and other.xyz.com. I want to create logic for a landing page where the user enters their name as email address removed for privacy reasons and is routed to the authentication for the appropriate tenant. That part is fairly trivial. The user is then presented with a dialog asking for their username and password by the EntraID IDP. Is there a way to prefill the username to eliminate the need to enter the password twice? Best regards, Scottpossible to prevent users from selecting security groups?
We have some AD synced and cloud only security groups with large memberships (think 'all employees', 'all contractors' etc) that are used for various administrative purposes. Is it possible to hide those groups or prevent users from selecting them to 'secure' their objects such as SharePoint sites and Power Apps?
Reset guest redemption status not possible after creating Multitenant Organization (MTO)
Hi all, we're on the path to creating a Multitenant Organization (MTO) for our global organization. We already have a relationship with one partner tenant which has B2B Collaboration and B2B Direct Connect set-up and is working well. We took the step of creating a Multitenant Organization in our 365 admin center and started testing with a sandbox tenant, which has since been removed. The issue we are having now, is that guest users which are not part of B2B Collaboration or an MTO cannot have their redemption status reset. I first found this wasn't possible from the error in a Power Automate workflow using Microsoft Graph, then confirmed I got the same error in Entra ID. The documentation for MTO was updated a few days ago and includes this, saying that as part of a multitenant organization, reset redemption for an already redeemed B2B user is currently disabled. But should this be the case for guest users not part of B2B Collaboration or Multitenant? Is this an error or expected behaviour, I wonder? Thanks!
Issues with Passkey Login Hanging on "Connecting to Your Device"
Hi everyone, I'm currently working on enabling passkey login for some users. I have a test account where I enabled the passkey and enrolled it in Microsoft Authenticator. However, when I try to log in and scan the key, it hangs on "connecting to your device." Has anyone encountered this issue before? How can I find the root cause, and which log would show what might be blocking me? Thanks in advance for your help!
Entra ID FIDO2 with multiple accounts returns "something went wrong" for the first sign-in attempt
I am finding there seems to be a bug possibly with Entra ID authentication when using FIDO2. In a scenario where a user has multiple accounts registered on their FIDO2 security key or Microsoft Authenticator in the same tenant, the first time they sign in the authentication process only sees one account. For example, an IT staff member may have a separate account used for administrative access. The first authentication attempt returns Something went wrong, trying again shows both accounts registered on the FIDO2 device, and the login is successful. I am able to consistently reproduce this with both a hardware FIDO2 token and using Microsoft Authenticator Cross-Device authentication on Android. This happens when authenticating to the Azure Admin portal, some Microsoft 365 PowerShell modules and some 3rd party applications. Interestingly it seems that possibly a newer authentication library for developers fixes the problem. I used to have the behavior in Exchange Online PowerShell, but the most current version of it never has the problem. Does anyone else see this behavior?
