SOLVED

Powershell MSOL and hybrid domain joined

%3CLINGO-SUB%20id%3D%22lingo-sub-1307833%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20MSOL%20and%20hybrid%20domain%20joined%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1307833%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EDid%20it%20work%20before%20at%20all%3F%20It%E2%80%99s%20tough%20to%20guess%20without%20sharing%20the%20setting%20for%20Conditional%20Access.%3CBR%20%2F%3E%3CBR%20%2F%3EAre%20the%20pcs%20hybrid%20join%20or%20only%20Azure%20AD%3F%20If%20hybrid%20joined%2C%20you%20have%20to%20sync%20the%20PCs%20to%20the%20cloud%20in%20order%20for%20CA%20to%20work%20as%20expected.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1309476%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20MSOL%20and%20hybrid%20domain%20joined%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1309476%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F363847%22%20target%3D%22_blank%22%3E%40Frederick_Po%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehmm%2C%20actually%20I%20can%20not%20reproduce%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20device%20is%20AAD%20hybrid%20joined%20and%20we%20have%20CA%20policy%20requiring%20hybrid%20joined%20devices%20and%20another%20one%20basically%20blocking%20%22other%20clients%22%20aka%20basic%20authentication.%20What%20are%20your%20AAD%20Sign-In%20Logs%20saying%20exactly%20..%20or%20the%20Windows%20Application%20and%20Services%20-%20AAD%20logs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20machine%3A%3C%2FP%3E%3CP%3E%2B----------------------------------------------------------------------%2B%3CBR%20%2F%3E%7C%20Device%20State%20%7C%3CBR%20%2F%3E%2B----------------------------------------------------------------------%2B%3C%2FP%3E%3CP%3EAzureAdJoined%20%3A%20YES%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewith%20a%20valid%20PRT%3A%3C%2FP%3E%3CP%3E%2B----------------------------------------------------------------------%2B%3CBR%20%2F%3E%7C%20SSO%20State%20%7C%3CBR%20%2F%3E%2B----------------------------------------------------------------------%2B%3C%2FP%3E%3CP%3EAzureAdPrt%20%3A%20YES%3CBR%20%2F%3EAzureAdPrtUpdateTime%20%3A%202020-04-15%2005%3A58%3A26.000%20UTC%3CBR%20%2F%3EAzureAdPrtExpiryTime%20%3A%202020-04-29%2012%3A26%3A36.000%20UTC%3C%2FP%3E%3CP%3E%3CBR%20%2F%3Eand%20I%20can%20successfully%20connect%20to%20Azure%20AD%20using%20the%26nbsp%3BConnect-MsolService%20cmdlet.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EActually%20using%26nbsp%3B%20%3CEM%3E%22Manifest%26nbsp%3B%3CSTRONG%3E1.1.183.57%3C%2FSTRONG%3E%20MSOnline%22%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20you%20have%20to%20update%20the%20module%20installed%2C%20aka%26nbsp%3BC%3A%5C%26gt%3B%20Update-Module%20MSOnline%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehth%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClaus%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1325061%22%20slang%3D%22en-US%22%3ERe%3A%20Powershell%20MSOL%20and%20hybrid%20domain%20joined%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1325061%22%20slang%3D%22en-US%22%3EAzureAdPrt%20was%20the%20problem%2C%20fixed%20it%20and%20everything%20was%20working%20afterwards.%20Thank%20you%20for%20pointing%20me%20in%20the%20right%20direction!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1306660%22%20slang%3D%22en-US%22%3EPowershell%20MSOL%20and%20hybrid%20domain%20joined%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306660%22%20slang%3D%22en-US%22%3E%3CP%3ESince%20we%20have%20a%20conditionnal%20access%20control%20requiring%20domain%20joined%20device%20and%20mfa%20to%20access%20azure%20management..when%20we%20are%20using%20powershell%20it%20seems%20like%20powershell%20cannot%20recognize%20the%20device%20as%20domain%20joined%20and%20access%20is%20blocked%20due%20to%20the%20domain%20joined%20access%20control%20after%20mfa%20is%20performed.%20Any%20idea%20why%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1306660%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Since we have a conditionnal access control requiring domain joined device and mfa to access azure management..when we are using powershell it seems like powershell cannot recognize the device as domain joined and access is blocked due to the domain joined access control after mfa is performed. Any idea why?

3 Replies
Hi,

Did it work before at all? It’s tough to guess without sharing the setting for Conditional Access.

Are the pcs hybrid join or only Azure AD? If hybrid joined, you have to sync the PCs to the cloud in order for CA to work as expected.

Thanks!
Moe
best response confirmed by Frederick_Po (Occasional Contributor)
Solution

@Frederick_Po 

 

hmm, actually I can not reproduce this.

 

My device is AAD hybrid joined and we have CA policy requiring hybrid joined devices and another one basically blocking "other clients" aka basic authentication. What are your AAD Sign-In Logs saying exactly .. or the Windows Application and Services - AAD logs?

 

My machine:

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

AzureAdJoined : YES

 

with a valid PRT:

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

AzureAdPrt : YES
AzureAdPrtUpdateTime : 2020-04-15 05:58:26.000 UTC
AzureAdPrtExpiryTime : 2020-04-29 12:26:36.000 UTC


and I can successfully connect to Azure AD using the Connect-MsolService cmdlet.

Actually using  "Manifest 1.1.183.57 MSOnline"

 

Maybe you have to update the module installed, aka C:\> Update-Module MSOnline

 

hth,

 

Claus

AzureAdPrt was the problem, fixed it and everything was working afterwards. Thank you for pointing me in the right direction!