Home

Modern Auth fails in Teams

%3CLINGO-SUB%20id%3D%22lingo-sub-66213%22%20slang%3D%22en-US%22%3EModern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-66213%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20had%20luck%20getting%20%22modern%20authentication%22%20to%20work%20with%20MS%20Teams%3F%20%26nbsp%3BWe%20have%20ADFS%203.0%20and%20what%20we're%20seeing%20is%20that%20when%20users%20have%20to%20login%20they%20get%20a%20nasty%20error%20screen%20but%20upon%20closing%20it%2C%20the%20desktop%20client%20will%20state%20that%20modern%20auth%20failed%20and%20it%20is%20falling%20back%20to%20different%20mechanism%20and%20then%20all%20proceeds%20normally%20after%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-66213%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-388488%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388488%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29366%22%20target%3D%22_blank%22%3E%40Patrick%20Adriaansen%3C%2FA%3E%2FAll%2C%20i%26nbsp%3Bam%20facing%20the%20same%20issue%2C%20even%20that%20i%20don't%20have%20published%20Teams%20through%20ADFS.%3C%2FP%3E%3CP%3Eshould%20i%20have%20to%20remove%20the%20modern%20authentication%3F%20and%20from%20where%20i%20can%20do%20that.%3C%2FP%3E%3CP%3Ethanks%20in%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29366%22%20target%3D%22_blank%22%3E%40Patrick%20Adriaansen%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3ESorry%20to%20hijack%20your%20thread%2C%20but%20we%20are%20getting%20the%20error%20to.%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20are%20the%20error%20messages%20we%20are%20getting%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F14037i2ADC443F976D79F3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22TeamsError2.jpg%22%20title%3D%22TeamsError2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EADFS%20Error%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20434px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F14035iB47257F3C8D24B09%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22TeamsError1.jpg%22%20title%3D%22TeamsError1.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20clicking%20the%20error%20away%2C%20everything%20seems%20to%20work%20just%20fine...%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CBR%20%2F%3Eadvance.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-377515%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-377515%22%20slang%3D%22en-US%22%3EI%20have%20seen%20this%20issue%20also%20on%20devices%20that%20are%20not%20domain-joined%20after%20a%20fresh%20install%20of%20O365.%3CBR%20%2F%3EThis%20reg-tweak%20fixed%20it%20finally%3A%3CBR%20%2F%3E%3CBR%20%2F%3EWindows%20Registry%20Editor%20Version%205.00%3CBR%20%2F%3E%3CBR%20%2F%3E%5BHKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5COffice%5C16.0%5CCommon%5CIdentity%5D%3CBR%20%2F%3E%22Version%22%3Ddword%3A00000001%3CBR%20%2F%3E%22EnableADAL%22%3Ddword%3A00000001%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174019%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174019%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Tyson%2C%20that%20worked%20perfectly%20for%26nbsp%3Bus.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116866%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116866%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20looked%20at%20this%20also%20and%20was%20able%20to%20get%20it%20going%20with%20the%20provided%20info.%20Has%20anyone%20been%20able%20to%20get%20the%20user's%20email%20to%20populate%20for%20the%20user%20ID%3F%20Skype%20does%20this%20by%20getting%20an%20attribute%20from%20AD%20and%20it%20is%20extremely%20slick%20because%20it%20doesn't%20require%20user%20intervention%20if%20they%20login%20to%20a%20new%2Fdifferent%20PC.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106239%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106239%22%20slang%3D%22en-US%22%3E%3CP%3EPretty%20intersting%20to%20see%20this%20Modern%20Auth%20error%2C%20even%20when%20ADFS%20is%20not%20being%20used.%20And%20never%20has%20for%20the%20tenant%20encounting%20that%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3CBR%20%2F%3EThomas%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76201%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76201%22%20slang%3D%22en-US%22%3E%3CP%3ETyson%2C%20thank%20you%20very%20much%20for%20this%20information.%20%26nbsp%3BIt's%20very%20helpful!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ekindly%2C%20Mike%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76036%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76036%22%20slang%3D%22en-US%22%3E%3CP%3EI%20raised%20a%20Support%20call%20with%20Microsoft%20to%20see%20if%20I%20could%20get%20this%20resolved%2C%20and%26nbsp%3Bnow%20it%20is%20fixed!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20following%20some%20articles%20that%20advised%20to%20get%20modern%20authentication%20working%20you%20need%20to%20set%20the%20%22PromptLoginBehavior%22%20setting%20for%20your%20federated%20domain(s)%20to%20%22Disabled%22%20to%20get%20this%20working%20using%20the%20following%20Powershell%20command%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3ESet-MsolDomainFederationSettings%20-DomainName%20yourdomainhere.com%26nbsp%3B-PromptLoginBehavior%20Disabled%3C%2FPRE%3E%3CP%3E(Note%3A%20for%20us%20this%20sometimes%20took%20up%20to%202%20hours%20for%20the%20change%20to%20propogate.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20in%20our%20DomainFederationSettings%20our%20MFA%20option%20was%20set%20to%20Null%20and%20product%20support%20recommended%20we%20use%20the%20same%20powershell%20command%2C%20but%20with%20all%20the%20parameter%20values%20specified%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3ESet-MsolDomainFederationSettings%20-DomainName%20yourdomainhere%20-PreferredAuthenticationProtocol%20WsFed%20-SupportsMfa%20%24False%20-PromptLoginBehavior%20Disabled%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3EThis%20fixed%20our%20issue!%20Thanks%20support.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUltimately%20ADFS%20was%20sending%20Azure%20AD%20a%20prompt%3Dlogin%20parameter%20that%20wasn't%20getting%20translated%20to%20the%20appropriate%20endpoint%20type%20that%20supports%20Windows%20Integrated%20Auth.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(If%20you%20are%20running%20ADFS%20on%202012%20R2%20servers%2C%20its%20worth%20noting%20this%20will%20only%20work%20if%20you%20have%20the%20July%202016%20update%20rollup%20as%20well).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20all%20now%20documented%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-prompt-login%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fad-fs-prompt-login%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76025%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76025%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20much%20Steven.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20it%20may%20be%20the%20conditional%20access%20policy%20for%20Exchange%20Online%20in%20Intune%20may%20be%20affecting%20the%20Desktop%20Teams%20App%20startup%20...%20as%20the%20CAP%20for%20EOL%20does%20include%20'Device%20must%20be%20domain%20joined'%20for%20Windows%20...%20but%20I%20think%20it%20actually%20means%20either%20Azure%20AD%20'joined'%20or%20'registered'%20or%20Intune%20Registered%20as%20opposed%20to%20AD%20Joined%20to%20the%20on-prem%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76015%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76015%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20our%20environment%20Teams%20works%20find%20with%20Windows%20Auth%20through%20ADFS%20v2%2C%20giving%20a%20full%20SSO%20experience%20(except%20for%20Planner%20tabs%20for%20some%20reason).%20This%20thread%20is%20about%20a%20month%20old%2C%20things%20change%20fast%20so%20maybe%20it%20was%20fixed%20for%20this%20specific%20scenario%20already.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConditional%20Access%20for%20Teams%20was%20announced%20yesterday%2C%20check%20out%20the%20article%20at%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F06%2F06%2Fazure-ad-conditional-access-now-supports-microsoft-teams-the-azure-portal%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F06%2F06%2Fazure-ad-conditional-access-now-supports-microsoft-teams-the-azure-portal%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-76011%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-76011%22%20slang%3D%22en-US%22%3ESo%20just%20to%20clarify%20for%20myself%20here%20please%20...%20does%20the%20Windows%20Desktop%20Microsoft%20Teams%20app%20Require%20Forms%20Based%20Auth%20to%20be%20Enabled%20for%20ADFS%20for%20Intranet%20in%20order%20to%20avoid%20the%20startup%20error%2Fissue%20of%20%22You%20can't%20get%20there%20from%20here%22%20...%20also%2C%20will%20Conditional%20Access%20Policies%20in%20Azure%20AD%20or%20Intune%20affect%20this%3F%20...%20we%20have%20a%20CAP%20for%20MFA%20in%20Azure%20AD%20....%20and%20it%20does%20include%20SharePoint%20and%20Exchange%20Online%20...%20but%20the%20Policy%20is%20only%20applied%20for%20a%20handful%20of%20testers%20and%20everyone%20using%20Teams%20sees%20the%20initial%20error%20pop-up%20for%20the%20Desktop%20App%20...%20will%20the%20Azure%20CAP%20affect%20this%20even%20though%20it's%20only%20applied%20to%20a%20few%20folks%3F%20We%20also%20have%20a%20CAP%20for%20Exchange%20Online%20in%20Intune%20and%20has%20'Windows%20must%20neet%20the%20following%20requirements%20set%20for%20%22Devices%20must%20be%20domain%20joined%22'%20...%20so%20is%20this%20the%20Policy%20that%20is%20causing%20the%20Startup%20error%20...%20as%20details%20on%20the%20'You%20can't%20get%20there%20from%20here'%20also%20say%20%22Access%20Rules%20set%20require%20a%20device%20to%20domain%20joined%22%20...%20the%20computer%20running%20the%20MS%20Teams%20App%20is%20AD%20Domain%20Joined%20to%20the%20on-prem%20AD%20...%20so%20is%20this%20Policy%20requiring%20that%20the%20Computer%20must%20either%20be%20Intune%20Registered%20or%20Azure%20AD%20Registered%20as%20well%20as%20being%20AD%20Domain%20Joined%20to%20the%20on-prem%20AD%3F%20...%20thanks%20very%20much%20for%20any%20clarifications!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-70562%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-70562%22%20slang%3D%22en-US%22%3E%3CP%3EAnyone%20else%20get%20a%20resolution%20for%20this%3F%20I%20can't%20get%20it%20working%20without%20Forms%20Based%20Auth%20turned%20on%2C%20which%20I%20would%20prefer%20not%20to.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-67830%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67830%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20feedback%20I%20got%20was%2C%20%22I%20have%20to%20type%20the%20password%2C%20I%20thought%20we%20use%20single%20sign%20on%22%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3ESo%20hopefully%20they%20will%20fix%20this%20in%20the%20near%20future%2C%20or%20else%20I%20gotta%20respond%20to%20that%20question%20more%20often.%3C%2FP%3E%3CP%3EBest%3C%2FP%3E%3CP%3EMartin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-67633%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67633%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20that's%20a%20pretty%20common%20behavior%20with%20new%20apps%20especially%2C%20plus%20it%20doesnt%20really%20hurt%20to%20have%20Forms%20auth%20enabled.%20Glad%20it's%20working%20for%20you%20now%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-67438%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67438%22%20slang%3D%22en-US%22%3E%3CP%3EI%20used%20your%20suggestions%20here%20and%20for%20internal%20ADFS%20authentication%20it%20helped%20me%20getting%20users%20logged%20on.%20So%20it%20seems%20that%20Windows%20authentication%20to%20ADFS%20with%20Microsoft%20Teams%20does%20not%20work%20yet%2C%20but%20the%20fallback%20to%20forms%20authentication%20at%20leasts%20lets%20the%20users%20log%20on.%3C%2FP%3E%3CP%3EThanks%20for%20the%20info%2C%20really%20helped%20me%20little%20further.%3C%2FP%3E%3CP%3EBest%3C%2FP%3E%3CP%3EMartin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-66820%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-66820%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20you've%20probably%20misunderstood%20him%2C%20it's%20not%20%22as%20opposed%20to%22.%20Both%20Forms%20and%20Windows%20auth%20need%20to%20be%20enabled%20to%20ensure%20that%20all%20applications%20will%20work%20properly.%20In%20addition%2C%20make%20sure%20that%20all%20relevant%20endpoints%20are%20also%20enabled%2C%20the%20windowstransport%20one%20in%20particular.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-66737%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-66737%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Patrick%2C%20that%20is%20exactly%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUPDATE%3A%20%26nbsp%3BI%20opened%20a%20ticket%20with%20Microsoft%20and%20the%20engineer%20believes%20the%20fix%20requires%20a%20change%20within%20ADFS%20to%20enable%20%22Forms%20Authentication%22%20in%20the%20Intranet%20zone%20as%20opposed%20to%20Windows%20(screenshot%20attached).%20However%20he%20could%20not%20speak%20to%20impacts%20that%20could%20cause%20with%20any%20other%20services%20so%20I'm%20unsure%20about%20moving%20ahead%20on%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20509px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F14078i1A76D869B8DC8696%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22ADFS.jpg%22%20title%3D%22ADFS.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-66392%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-66392%22%20slang%3D%22en-US%22%3E%3CP%3ESorry%20to%20hijack%20your%20thread%2C%20but%20we%20are%20getting%20the%20error%20to.%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20are%20the%20error%20messages%20we%20are%20getting%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F14037i2ADC443F976D79F3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22TeamsError2.jpg%22%20title%3D%22TeamsError2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EADFS%20Error%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20434px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F14035iB47257F3C8D24B09%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22TeamsError1.jpg%22%20title%3D%22TeamsError1.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20clicking%20the%20error%20away%2C%20everything%20seems%20to%20work%20just%20fine...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-66339%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-66339%22%20slang%3D%22en-US%22%3E%3CP%3EWhat's%20the%20error%20you%20are%20getting%20though%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-437538%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-437538%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F307975%22%20target%3D%22_blank%22%3E%40NawazKhan%3C%2FA%3E%26nbsp%3BI%20am%20facing%20the%20exact%20same%20issue.%20Were%20you%20able%20to%20find%20a%20solution%20for%20this%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-465745%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-465745%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F319041%22%20target%3D%22_blank%22%3E%40Apoorva_MSGTECH%3C%2FA%3E%2C%26nbsp%3B%20My%20issue%20was%20due%20to%20a%20Conditional%20access%20policy%20in%20portal.azure.com%20which%20was%20applied%20on%20my%20user%2C%20on%20the%20app%26nbsp%3B%20%22office%20365%20sharepoint%20online%22%20which%20include%20MS%20teams%20as%20well.%20So%20after%20removing%20my%20user%20from%20the%20conditional%20access%20policy%2C%20my%20issue%20was%20resolved.%26nbsp%3B%20For%20more%20detail%20please%20have%20look%20into%20(%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-based-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-based-mfa%3C%2FA%3E%20)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-466898%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-466898%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20for%20a%20way%20where%20I%20can%20use%20Conditional%20access%20without%20having%20the%20Modern%20Authentication%20failing.%20I%20do%20have%20Conditional%20access%20enabled%20for%20my%20user.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F307975%22%20target%3D%22_blank%22%3E%40NawazKhan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-469818%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-469818%22%20slang%3D%22en-US%22%3E%3CP%3EPlease%20look%20into%20this%20link%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-based-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-based-mfa%3C%2FA%3E%20)%2C%20it%20may%20help%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F319041%22%20target%3D%22_blank%22%3E%40Apoorva_MSGTECH%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480785%22%20slang%3D%22en-US%22%3ERe%3A%20Modern%20Auth%20fails%20in%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480785%22%20slang%3D%22en-US%22%3E%3CP%3EI%20do%20not%20use%20(nor%20know%20anything%20about%20ADFS).%26nbsp%3B%20We%20are%20seeing%20the%20same%20error%20but%20with%20a%20different%20error%20code.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EModern%20Authentication%20failed%20here%2C%20but%20you'll%20still%20be%20able%20to%20sign%20in.%20Your%20status%20code%20is%20caa82ee2.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20know%20what%20that%20specific%20error%20code%20is%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Ryan Stone
Contributor

Has anyone had luck getting "modern authentication" to work with MS Teams?  We have ADFS 3.0 and what we're seeing is that when users have to login they get a nasty error screen but upon closing it, the desktop client will state that modern auth failed and it is falling back to different mechanism and then all proceeds normally after that.

23 Replies

What's the error you are getting though?

 

 

 

 

Sorry to hijack your thread, but we are getting the error to. 

These are the error messages we are getting:

 

TeamsError2.jpg

 

ADFS Error:

TeamsError1.jpg

 

After clicking the error away, everything seems to work just fine...

Thanks Patrick, that is exactly it.

 

UPDATE:  I opened a ticket with Microsoft and the engineer believes the fix requires a change within ADFS to enable "Forms Authentication" in the Intranet zone as opposed to Windows (screenshot attached). However he could not speak to impacts that could cause with any other services so I'm unsure about moving ahead on it.

 

ADFS.jpg

 

 

I think you've probably misunderstood him, it's not "as opposed to". Both Forms and Windows auth need to be enabled to ensure that all applications will work properly. In addition, make sure that all relevant endpoints are also enabled, the windowstransport one in particular.

I used your suggestions here and for internal ADFS authentication it helped me getting users logged on. So it seems that Windows authentication to ADFS with Microsoft Teams does not work yet, but the fallback to forms authentication at leasts lets the users log on.

Thanks for the info, really helped me little further.

Best

Martin

Yes, that's a pretty common behavior with new apps especially, plus it doesnt really hurt to have Forms auth enabled. Glad it's working for you now :)

First feedback I got was, "I have to type the password, I thought we use single sign on" :)

So hopefully they will fix this in the near future, or else I gotta respond to that question more often.

Best

Martin

Anyone else get a resolution for this? I can't get it working without Forms Based Auth turned on, which I would prefer not to.

So just to clarify for myself here please ... does the Windows Desktop Microsoft Teams app Require Forms Based Auth to be Enabled for ADFS for Intranet in order to avoid the startup error/issue of "You can't get there from here" ... also, will Conditional Access Policies in Azure AD or Intune affect this? ... we have a CAP for MFA in Azure AD .... and it does include SharePoint and Exchange Online ... but the Policy is only applied for a handful of testers and everyone using Teams sees the initial error pop-up for the Desktop App ... will the Azure CAP affect this even though it's only applied to a few folks? We also have a CAP for Exchange Online in Intune and has 'Windows must neet the following requirements set for "Devices must be domain joined"' ... so is this the Policy that is causing the Startup error ... as details on the 'You can't get there from here' also say "Access Rules set require a device to domain joined" ... the computer running the MS Teams App is AD Domain Joined to the on-prem AD ... so is this Policy requiring that the Computer must either be Intune Registered or Azure AD Registered as well as being AD Domain Joined to the on-prem AD? ... thanks very much for any clarifications!

In our environment Teams works find with Windows Auth through ADFS v2, giving a full SSO experience (except for Planner tabs for some reason). This thread is about a month old, things change fast so maybe it was fixed for this specific scenario already.

 

Conditional Access for Teams was announced yesterday, check out the article at

 

https://blogs.technet.microsoft.com/enterprisemobility/2017/06/06/azure-ad-conditional-access-now-su...

 

 

Thanks much Steven. 

 

It seems it may be the conditional access policy for Exchange Online in Intune may be affecting the Desktop Teams App startup ... as the CAP for EOL does include 'Device must be domain joined' for Windows ... but I think it actually means either Azure AD 'joined' or 'registered' or Intune Registered as opposed to AD Joined to the on-prem AD.

I raised a Support call with Microsoft to see if I could get this resolved, and now it is fixed! 

 

I was following some articles that advised to get modern authentication working you need to set the "PromptLoginBehavior" setting for your federated domain(s) to "Disabled" to get this working using the following Powershell command: 

 

 

Set-MsolDomainFederationSettings -DomainName yourdomainhere.com -PromptLoginBehavior Disabled

(Note: for us this sometimes took up to 2 hours for the change to propogate.)

 

 

However in our DomainFederationSettings our MFA option was set to Null and product support recommended we use the same powershell command, but with all the parameter values specified:

 

 

Set-MsolDomainFederationSettings -DomainName yourdomainhere -PreferredAuthenticationProtocol WsFed -SupportsMfa $False -PromptLoginBehavior Disabled


This fixed our issue! Thanks support.

 

Ultimately ADFS was sending Azure AD a prompt=login parameter that wasn't getting translated to the appropriate endpoint type that supports Windows Integrated Auth.

 

(If you are running ADFS on 2012 R2 servers, its worth noting this will only work if you have the July 2016 update rollup as well).

 

It is all now documented here:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-prompt-login

 

 

Tyson, thank you very much for this information.  It's very helpful! 

 

kindly, Mike

Pretty intersting to see this Modern Auth error, even when ADFS is not being used. And never has for the tenant encounting that issue.

 

Cheers,
Thomas 

Just looked at this also and was able to get it going with the provided info. Has anyone been able to get the user's email to populate for the user ID? Skype does this by getting an attribute from AD and it is extremely slick because it doesn't require user intervention if they login to a new/different PC.

Thanks Tyson, that worked perfectly for us. 

I have seen this issue also on devices that are not domain-joined after a fresh install of O365.
This reg-tweak fixed it finally:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"Version"=dword:00000001
"EnableADAL"=dword:00000001

@Patrick Adriaansen/All, i am facing the same issue, even that i don't have published Teams through ADFS.

should i have to remove the modern authentication? and from where i can do that.

thanks in


@Patrick Adriaansen wrote:

Sorry to hijack your thread, but we are getting the error to. 

These are the error messages we are getting:

 

TeamsError2.jpg

 

ADFS Error:

TeamsError1.jpg

 

After clicking the error away, everything seems to work just fine...



advance. 

@NawazKhan I am facing the exact same issue. Were you able to find a solution for this? 

Hi @Apoorva_MSGTECH,  My issue was due to a Conditional access policy in portal.azure.com which was applied on my user, on the app  "office 365 sharepoint online" which include MS teams as well. So after removing my user from the conditional access policy, my issue was resolved.  For more detail please have look into ( https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa )

I am looking for a way where I can use Conditional access without having the Modern Authentication failing. I do have Conditional access enabled for my user. @NawazKhan 

I do not use (nor know anything about ADFS).  We are seeing the same error but with a different error code.  

 

Modern Authentication failed here, but you'll still be able to sign in. Your status code is caa82ee2.

 

Anyone know what that specific error code is?

 

 

Related Conversations
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
2 Replies
Early preview of Microsoft Edge group policies
Sean Lyndersay in Discussions on
65 Replies
*Updated 9/3* Syncing in Microsoft Edge Preview Channels
Elliot Kirk in Articles on
202 Replies