04-16-2018 09:20 AM
04-16-2018 09:20 AM
I recently changed the default email/login (the domain part) for my Office 365 account. I use this account to sign into (AAD) my Windows 10 machines (two machines - one Enterprise, one Workstation Pro).
Since I changed the account every time I unlock the machine using either Windows Hello or my PIN I am immediately prompted to re-enter my credentials via the message:
"Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card"
If I lock the PC and then unlock it using the password (not Hello or PIN) the problem is resolved until I unlock it again using either Hello or PIN - at which point the same message is raised. If I ignore the error, which doesn't seem to cause any problems, I am just re-prompted every few minutes (very annoying).
One of the machines has had Windows reinstalled since the username change, but still sees the issues. I have also logged out of both devices and changed my password via the admin portal. But I still see the issue. I've also reset the PIN - the problem still happens.
I do not see any errors in the Windows event log that tie up to the time when this message appears, or when the PC's are unlocked.
One option to consider is that this AAD tenant was previously sync'd to an on-premise domain. But it is no longer synced. This was removed intentionally several months before this problem started. I only note this because Windows still sees my username as olddomain\username, whereas I would have expected it to go back to AzureAd\email@example.com (even on refresh installs).
04-16-2018 10:53 AM
I guess the root cause here is that using a password vs using a method such as Hello triggers a different auth flow, and is governed by different rules when it comes to token expiration. But that's just a guess and a proper investigation will require capturing some network traces to get the relevant details.
If you can reliably reproduce the issue, open a support case and work with the engineers to gather some diagnostics info.
11-22-2018 10:53 AM - edited 11-22-2018 10:54 AM
We are having similar issues to this and this older post https://answers.microsoft.com/en-us/windows/forum/windows_10-security/windows-10-domain-joined-locki...
We have an on site domain used for windows authentication that is separate from an adfs domain used for o365 proplus click to run activation. Both accounts share the same email address user object attribute.
I think the two sets of credentials and authentication might be conflicting? Did your issue get resolved? Any recommendations?
04-03-2019 09:29 AM
same problem here: AAD-joined device prompts user constantly for his current creds.
anyone has a solution?
05-31-2019 12:38 AM
@Arielalt I do not know for sure but when I removed the domain sync I cleaned up the sync account in AAD by deleting it. The account name looks something like this: Sync_DC1_d7236f409c87@[youdomain].onmicrosoft.com
I restored that account in the Office 365 interface and the problem stopped. I've left it there ever since - too scared to delete it.
It doesn't sound like it should be the cause - and I cannot be certain it was the fix but the problem has gone away.
If you have this issue still I would engage MS Support.
06-03-2019 08:01 AM
We are still getting the message. I havent attempted to remove the AD Connect as the previous response. I have a ticket open with Microsoft for now two months as they are apparently too busy to get this resolved for us. Glad it is not actually causing problems...
10-18-2019 12:32 PM - edited 10-18-2019 12:34 PM
We are facing the same issue. But we still use an On-Prem AD, with AD connect.
Did anyone ever resolve this issue?
10-18-2019 12:35 PM
@DjTjon01 Sadly no. Everyone still gets the message. The PSA was to ignore it but geez, that does not look the greatest from the IT side. MS still has yet to respond to my emails on this one either. Cannot for the life of me figure out what caused this one.