Forum Discussion
Teams desktop client macOS authentication prompt
Does anyone know why only the teams desktop client for macOS (on BYOD) continually prompts a modern auth popup box when Exchange Online app principle is disabled?
I found this out by running:
(Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000).accountenabled
and it was disabled.
Once I enabled EXO, the popup stopped appearing.......
Only macOS users were affected, Windows desktop clients (on BYOD) were fine and never prompted (unless token expired and 2FA forced on next launch).
I have attached a video to show the popup, it flashes up then disappears. All day for the affected users.
I believe that modern auth was enabled a while ago and since it was enabled the popup started for BYOD macOS users.
Any help appreciated! Thanks
jjgage Okay, I think I may have figured out what's going on in our tenant. I logged into Teams in the browser with the Developer console open and I'm seeing errors like this one:
AUTHADAL: Attempting to handle auth response: error:AADSTS500014: The service principal for resource 'https://*.microsoftstream.com' is disabled. This indicate that a subscription within the tenant has lapsed, or that the administrator for this tenant has disabled the application, preventing tokens from being issued for it., resource:https://*.microsoftstream.com, error mapped to action:resourceDisabled
We have Microsoft Support working on our Stream tenant and as part of that process, we were required to disable the application from the Enterprise Applications blade of the Azure AD admin center. I suspect this may be the cause of the repeated authentication prompts. Strange that it's only affecting Teams on Mac. 🤷
10 Replies
If users have already signed in to other Office apps through their Office 365 Enterprise account, when they start Teams they're taken straight to the app. There's no need for them to enter their credentials.
If users are not signed in to their Office 365 Enterprise account anywhere else, when they start Teams, they're asked to provide either single-factor or multi-factor authentication (SFA or MFA), depending on what your organization has decided they'd like the process to entail.
If users are signed in to a domain-joined computer, when they start Teams, they might be asked to go through one more authentication step, depending on whether your organization opted to require MFA or if their computer already requires MFA to sign in. If their computer already requires MFA to sign in, when they open up Teams, the app automatically starts.
If users are signed in to a domain-joined computer and you don't want their user name pre-populated on the Teams sign-in screen, admins can set the following Windows registry to turn off pre-population of the user name (UPN):
Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\Teams
SkipUpnPrefill(REG_DWORD)
0x00000001 (1)
When users start Teams, their computer won't be able to pull their credentials from their Office 365 Enterprise account or any of their other Office applications. Instead, they'll see a prompt asking them for SFA or MFA (depending on your organization's settings). Once users enter their credentials, they won't be required to provide them again. From that point on, Teams automatically starts whenever they're working on the same computer.
Smith_J wasn't anything do to with the login itself, that worked fine with and without MFA - it was some kind of loop. Did you see the video I posted? It flashes up for less than 1sec then disappears, then does same whenever you use the search to start typing someones name. It's very strange and I have never seen it before. Only affected macOS too........maybe Catalina bug?
jjgage I'm also seeing issues with Teams on macOS repeatedly displaying an authentication prompt. In my case, it occurs whenever I switch to the Calendar tab. I checked the Exchange Online service principal and it was already enabled.
Ryan Steele Are your users using EXO for mail or still On-Prem? And are you Hybrid or Azure only?
jjgage We are in Exchange Hybrid with Exchange 2013 on-premises, and the affected users I'm aware of are all in EXO (previously on-prem and migrated).
