Forum Discussion
Very big trouble after joinin domain
Faber can you explain in some more details what exactly is the issue he's having with SPO? Device registration should not matter in general, unless you have some policies configured to restrict access to only AAD-joined devices.
I try to re-explain the matter.
I've a user that previous have his notebook, in workgroup mode before join a new Windows 2016 Domain.
Before join, he has Office 2016 installed and a O365 Business Premium license. He also create and it is owner (I checked) of some Sharepoint Team Sites. Before the join, if he need to modify a word document in one site; he opened the browser, authenticate with his name.surname@domain.ext and password credentials, click on the document and select modify document with Word installed on computer (not online).
So I create a domain, and join his computer, with forensit tool profwiz, to mantain his profile.
After this, to do the same operation it doesn't work. and in azure AD I see the log i attach in the first post.
Office application, for example Word 2016, ask the autentication, he enter his account like I wrote (name.suname.... and password), office ask another time the password, and word hang with this error:
Something went wrong
We weren't able to register your device and add your account to Windows. Your access to org resources may be limited. (I translate the error because is in italian)
He has also TODO APP downloaded from windows app store, and also doesn't work with 0x80070520 error.
I also, from windows settings, removed O365 credentials and try to reconnect, but same result:
Something went wrong
We weren't able to register your device and add your account to Windows. Your access to org resources may be limited.
So the user is unable to use O365 Sharepoint site, and I don't know if there is some matters.
Another detail: if I use the admin account of Office 365, instead the user account, for login as described before, so with the user in my case in the format admin@tenantdomain.onmicrosoft.com and password, the login was successful and in Azure AD log i see the device is registered.
Is actually the only user that have this issue, because the only user that has Windows 10 (17134), Win7Pro users seems doesn't have this issue.
I've some headache after a week waiting also Microsoft 365 support for an help and feeback...
I also configure domain users, that username is the userprincipalname attribute, that is name.surname@domain.ext like O365; and I haven't sync anything of my local Active Directory with Azure AD "free version" in O365, for example password hash or something else.
I hope now is a bit clear, and sorry for my bad english I suppose ;)
So it does seem like device registration is enforced for their organization? Can you check the settings in the Azure AD portal, namely the "Users may join devices to Azure AD" group under https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/DeviceSettings/menuId/
In addition, check for any Intune or Conditional Access policies that are enforcing the device registration requirement.
"Users may join devices to Azure AD" --> is set as TUTTO so i think in english mode is ALL without any user specified.
Check for any Intune or Conditional Access policies --> We havn't Intune, and azure premium either.
Meanwhile i do a dsregcmd /status (view before post) and also change the upn for the username to domain.local but the matter still remain.
Have you tried it with a new user profile on the client after changing the UPN?
Do you use the same domain name for your local Active Directory as you use in Office 365?
- Mmhhm.. my O365 domain is domain.it and domain.onmicrosoft.com
My AD domain is domain.local but I add also an UPN as domain.it and users log on computers as user@domain.it because in the near future I want to setup password hash syncronization.- That causes all the trouble as you mix up your local and Office 365 authentication. You would need directory synchronization and ADFS to login with one account for the domain and Office 365
