Home

Guest access and Windows 10 Azure AD connected devices

%3CLINGO-SUB%20id%3D%22lingo-sub-239261%22%20slang%3D%22en-US%22%3EGuest%20access%20and%20Windows%2010%20Azure%20AD%20connected%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-239261%22%20slang%3D%22en-US%22%3E%3CP%3EI%20use%20a%20Windows%2010%20computer%20connected%20to%20Azure%20AD%20in%20one%20tenant%20I%20manage.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20sign%20into%26nbsp%3Bthe%20Microsoft%20Teams%20desktop%20app%20in%20a%20different%20tenant%20and%20happily%20work%20in%20that%20tenant.%20But%20when%20I%26nbsp%3Bswitch%20to%20a%20tenant%20and%20team%20where%20I%20am%20guest%2C%20Windows%2010%20cuts%20in%20and%20tries%20to%20sign%20me%20into%20the%20Azure%20AD%20connected%20tenant.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20know%20this%20will%20only%20affect%20consultants%20like%20me%2C%20who%20sign%20in%20and%20out%20of%20different%20tenants%20and%20are%20guests%20in%20multiple%20projects.%20I%20just%20wondered%20if%20anyone%20else%20experiences%20this%20behaviour.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20as%20if%20the%20Windows%2010%20AAD%20connected%20domain%20overrides%20the%20tenant%20switching%20in%20Teams%2C%20signs%20me%20out%20of%20the%20tenant%20and%20identity%20I'm%20using%2C%20and%20tries%20to%20sign%20me%20in%20with%20the%20AAD%20connected%20identity.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'll%20try%20to%20create%20a%20video%20later%20to%20explain%20it%2C%20blurring%20details%20where%20appropriate.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44390iD01404C9104B8DC6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Teams-switching-AAD-connected-computer.png%22%20title%3D%22Teams-switching-AAD-connected-computer.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-239261%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-282596%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20and%20Windows%2010%20Azure%20AD%20connected%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-282596%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F875%22%20target%3D%22_blank%22%3E%40Christopher%20Webb%3C%2FA%3E%2C%20Franz%20looks%20interesting.%20I'll%20try%20it.%20At%20first%20impression%2C%20it%20feels%20like%20a%20web%20browser%20and%20each%20service%20is%20a%20tab%20in%20the%20browser.%20Restarting%20Franz%20signs%20me%20back%20into%20Outlook%20for%20Office%20365%20service.%20The%20Microsoft%20Teams%26nbsp%3Bservice%20tabs%20took%20almost%20a%20full%20minute%20to%20sign%20in%2C%20but%20seem%20to%20keep%20the%20session%20auth%20separate.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20the%20reference%26nbsp%3B%3Cimg%20id%3D%22smileyhappy%22%20class%3D%22emoticon%20emoticon-smileyhappy%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fi%2Fsmilies%2F16x16_smiley-happy.png%22%20alt%3D%22Smiley%20Happy%22%20title%3D%22Smiley%20Happy%22%20%2F%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-242202%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20and%20Windows%2010%20Azure%20AD%20connected%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-242202%22%20slang%3D%22en-US%22%3EHave%20you%20tried%20%3CA%20href%3D%22https%3A%2F%2Fmeetfranz.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmeetfranz.com%2F%3C%2FA%3E%20%3F%20For%20someone%20like%20you%20working%20on%20a%20bunch%20of%20tenants%20this%20might%20be%20a%20savior.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-242052%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20and%20Windows%2010%20Azure%20AD%20connected%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-242052%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20experience%20signs%20out.%26nbsp%3BI%20can%20sign%20in%20with%20tenant%20ID%E2%80%99s%20that%20are%20different%20to%20the%20ID%20used%20with%20Azure%20AD%20join.%3C%2FP%3E%0A%3CP%3Ee.g.%20Laptop%20is%20AAD%20joined%20using%20contoso.com.%20I%20sign%20into%20Teams%20as%20ruby.com.%20Ruby.com%20is%20a%20guest%20team%20member%20of%20a%20team%20in%20emerald.com.%3C%2FP%3E%0A%3CP%3EBut%20as%20soon%20as%20I%20try%20to%20switch%20to%20a%20guest%20Team%20in%20emerald.com%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EAAD%20join%20takes%20over%2C%20signs%20me%20out%20of%20ruby.com%3C%2FLI%3E%0A%3CLI%3ESigns%20me%20in%20with%20contoso.com%3C%2FLI%3E%0A%3CLI%3EThen%20tries%20to%20sign%20into%20the%20guest%20team%20in%20emerald.com%2C%20where%20it%20is%20not%20a%20guest.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EI%E2%80%99m%20considering%20removing%20my%20laptop%20from%20AzureAD%20Join%20and%20forgoing%20those%20benefits%2C%20just%20so%20I%20can%20use%20Teams%20the%20way%20it%E2%80%99s%20designed.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-239450%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20and%20Windows%2010%20Azure%20AD%20connected%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-239450%22%20slang%3D%22en-US%22%3EI'm%20trying%20to%20figure%20it%20out%20on%20my%20AzureAD%20Connected%20machine%20and%20when%20I%20click%20sign%20out%20in%20the%20menu%20it%20signs%20me%20out%20and%20prompts%20for%20login%20creds.%20So%20yours%20just%20sign's%20out%20and%20in%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-239275%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20and%20Windows%2010%20Azure%20AD%20connected%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-239275%22%20slang%3D%22en-US%22%3EThanks%20Christopher.%20It's%20just%20good%20to%20know%20there's%20a%20way%20around%20it.%20If%20you%20recall%20how%20to%20bypass%2C%20reply%20when%20you%20can.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-239271%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20access%20and%20Windows%2010%20Azure%20AD%20connected%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-239271%22%20slang%3D%22en-US%22%3EPart%20of%20SSO%20with%20azure%20joined%20Windows%2010%20which%20makes%20it%20nice%20for%20most%20users%20but%20can%20be%20problematic%20in%20consultant%20world%20%3Ap.%20I%20have%20to%20do%20some%20digging%20but%20I%20remember%20someone%20posted%20how%20to%20sign%20out%20or%20start%20Teams%20to%20bypass%20the%20auto%20login%20just%20can't%20remember%20what%20that%20was%20%3A).%3C%2FLINGO-BODY%3E
Darrell Webster
MVP

I use a Windows 10 computer connected to Azure AD in one tenant I manage. 

I sign into the Microsoft Teams desktop app in a different tenant and happily work in that tenant. But when I switch to a tenant and team where I am guest, Windows 10 cuts in and tries to sign me into the Azure AD connected tenant. 

I know this will only affect consultants like me, who sign in and out of different tenants and are guests in multiple projects. I just wondered if anyone else experiences this behaviour. 

It's as if the Windows 10 AAD connected domain overrides the tenant switching in Teams, signs me out of the tenant and identity I'm using, and tries to sign me in with the AAD connected identity. 

I'll try to create a video later to explain it, blurring details where appropriate.Teams-switching-AAD-connected-computer.png

6 Replies
Part of SSO with azure joined Windows 10 which makes it nice for most users but can be problematic in consultant world :p. I have to do some digging but I remember someone posted how to sign out or start Teams to bypass the auto login just can't remember what that was :).
Thanks Christopher. It's just good to know there's a way around it. If you recall how to bypass, reply when you can.
I'm trying to figure it out on my AzureAD Connected machine and when I click sign out in the menu it signs me out and prompts for login creds. So yours just sign's out and in?

My experience signs out. I can sign in with tenant ID’s that are different to the ID used with Azure AD join.

e.g. Laptop is AAD joined using contoso.com. I sign into Teams as ruby.com. Ruby.com is a guest team member of a team in emerald.com.

But as soon as I try to switch to a guest Team in emerald.com

  1. AAD join takes over, signs me out of ruby.com
  2. Signs me in with contoso.com
  3. Then tries to sign into the guest team in emerald.com, where it is not a guest. 

I’m considering removing my laptop from AzureAD Join and forgoing those benefits, just so I can use Teams the way it’s designed. 

Have you tried https://meetfranz.com/ ? For someone like you working on a bunch of tenants this might be a savior.

Hi @Deleted, Franz looks interesting. I'll try it. At first impression, it feels like a web browser and each service is a tab in the browser. Restarting Franz signs me back into Outlook for Office 365 service. The Microsoft Teams service tabs took almost a full minute to sign in, but seem to keep the session auth separate. 

Thanks for the reference Smiley Happy 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies