Forum Widgets
Latest Discussions
Windows Hello for Business 0x80090010 NTE_PERM
Hi all, I'm encountering an issue with Windows Hello for Business on the latest version of Windows (July 2025 update). The setup process fails during initialisation, and no biometric or PIN options are being provisioned for the user. Environment: Windows version: 11 24H2 Enterprise (latest update) Deployment mode: Hybrid Cloud Trust Hybrid joined devices Symptoms: Users are prompted to set up WHfB but the process fails at the last step with error 0x80090010 Users who already have WHfB authentication methods created can successfully login Event ID 311 & 303 in the User Device Registration logs Screenshots: Troubleshooting so far: Unjoined and rejoined to Entra ID Granted modify permissions on folder in which NGC container would be created Rolled back to June 2025 update (this worked) So it seems like this is caused or related to the latest Windows Update, which is rather unfortunate for us as we are just beginning to rollout WHfB for our organisation. I'm posting here to raise awareness of the issue, if there is a more appropriate place to post then please suggest.
Challenges with New MFA and SSPR Policies: Need Guidance
I am currently transitioning our Self-Service Password Reset (SSPR) and Multi-Factor Authentication (MFA) to the new Authentication Methods policy, moving away from legacy policies. However, the lack of clarity on which methods are compatible with both scenarios is quite frustrating, and I wonder if I might be missing something. Our goal is to exclusively use the Authenticator app and security keys for both MFA and SSPR, eliminating all other methods. Additionally, we want to maintain the requirement of two methods (Authenticator app and security key) for password changes. We are in the process of distributing security keys to all staff. The issue I’m encountering is that while Microsoft promotes this new portal as a unified solution for both MFA and SSPR, not all methods are supported across both. Specifically, the security key does not currently work for SSPR. If I am unable to use the security key for SSPR and must resort to a less secure second method, I would at least like to disable that less secure method for MFA. However, it seems there is no way to configure this in the policy. Am I on the right track here? I am aware that Authentication Strengths can be configured—perhaps this is where I should focus? Any advice or discussion would be greatly appreciated.Allow any UTF8 characters in Microsoft account passwords
Hello, I tried to use characters like «¼∃≒∀» in passwords and the form always reject them while local windows accounts and on premise domain controllers accept them. I opened a support ticket to report this as a bug and was told it works this way by design (case 28980531). Was also directed here if I had any suggestions so here I am: please allow any and each UTF8 characters in your online service in the password field. Not being able to is a regression from using on premise domain controller that gladly accept even emojis in passwords. Thank you.
Best setup for multiple machines
I have a live account for my email address as I have a surface and originally registered for an account to use for machine backups, browsing syncing etc. I also use onenote and wanted it syncing to a 365 onedrive account so I signed up for office 365 business basics so that I could sync onedrive and all of the associated attachments, audio records etc to it. I would love to use use the paid business account but I cant sign into the surface with the business account, only home accounts as I dont have pro. The next issue is that I use another laptop, android tablet and phone also signing into the business 365 account. These all used to sync fine but now, all other devices disconnect as the one you have signed into it connects. Not a major issue, you sign into the device you want to use, sync and then continue However i jump from device to device that often that it starts to grate on me that i cant just grab a device and sync. Is there any way I can register each device so that they are trusted and then more than one device can stay connected.
Token replay question
I had a case of a user being phished and their token being used in a replay attack. The replay appeared in the sign in logs from a different IP address to the "true" users IP. I then saw activity on the account originating from the original IP until we killed the session a few hours later. I had someone suggest that in a token replay the M365 audit\activity logs and Entra ID signing logs will show the original persons IP, not the attackers. Can anyone confirm this?Web Sign-In: Alert QR Code/Code for Mobile
Had 2FA turned off in the work account, on the web login screen a reminder only a few logins allowed without the Authenticator. Fair enough so instead of logging in, got out the Android tablet and installed the Authenticator and logged in with the account there, no problems. A few minutes later attempted to log in to the account on web, this time it presented a QR code with the link "phonefactor:/activateaccount .... mobileappcommunicator.auth ..." which didn't seem to go well in Android using QR scanner or camera. The web login suggested an alternative to the QR code, an 8? digit code, but nothing in the Authenticator app seemed to want it. All of a sudden everything seems to work fine, the web login (with a note that 2FA was used in the login) and the Authenticator on the tablet, thus turning out as a good news ending to a slightly shaky start. :)Azure MFA "Activation Failed" error with Microsoft Authenticator App
We've opened a premier ticket, but has anyone in the community seen this error before? We've got a few users that can't set up the Microsoft Authenticator app, and nothing we do is working. This is rolling out to all of our users overnight tonight, and none of our global testing has run into anything like this.
CA policy for corporate devices
I would like to create a conditional access policy to block all non corporate devices from accessing Office 365 resources. I created a policy: Applies to -> User Group Applies to -> all resources Applies to -> Win 10 Filter for devices exception-> Ownership: company & trust type: Entra Hybrid joined. Action: block The above works fine for office desktop login, i.e. blocks non corporate devices and allows corporate devices. However, a side effect is that sign ins from browser on a corporate device is still blocked.
Evolution with business account (oauth2)
Recently domainFactory migrated mail to Microsoft 365 business accounts. I used to use the Evolution mail client (Fedora Linux, flatpak version) for mail. Unfortunately I am not able to login to my account with Evolution. You can find my discussion here: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/515#note_2384010 I also noticed that the login is no problem with a personal account. Does anybody have experience with this?
