Nov 14 2019
07:03 AM
- last edited on
Jan 14 2022
04:36 PM
by
TechCommunityAP
Nov 14 2019
07:03 AM
- last edited on
Jan 14 2022
04:36 PM
by
TechCommunityAP
Hi Guys,
At this moment we are trying to migrate our environment to a Microsoft365-only environment.
We are running into a problem where Azure AD joined devices are prompted for their password while signing in to websites like https://portal.office.com/ or https://myapps.office.com/. We would like to accomplish that when users fill in their username, the Azure AD password is being used automatically and the users is signing in without password.
Our AD is synced to AzureAD using AAD Connect (Password Hash sync & SSO). I disabled MFA for a testuser, but the issue persists.
Anyone has an idea what is going on?
Thank you in advance!
Regards,
Paul
Nov 14 2019 07:04 AM
Nov 14 2019 07:08 AM
Nov 14 2019 08:29 AM
Is the user logged in with their Azure AD credentials? And what does dsregcmd /status show? More specifically, what's the value for AzureAdPrt? You can learn about troubleshooting such scenarios here: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd
Nov 14 2019 09:04 AM - edited Nov 14 2019 09:07 AM
Users are indeed logged in with their Azure AD credentials. Looks like the AzureAdPrt settings are OK:
+----------------------------------------------------------------------+
SSO State
+----------------------------------------------------------------------+
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2019-11-14 11:59:52.000 UTC
AzureAdPrtExpiryTime : 2019-11-28 16:48:11.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/1b32xxxx-xxxx-xx-xx-xxxx
EnterprisePrt : NO
EnterprisePrtAuthority :
Nov 14 2019 09:56 AM
And you still get asked for password? Are you using Edge? Chrome needs additional add-ins to support SSO via PRT.
Nov 14 2019 11:26 PM
It doesn't work in IE as well as in Edge. We are able to choose for the account 'Connected to Windows'. This works. But when users choose for 'Use another account' and fill in our username manually, the password should not be asked.
Nov 15 2019 12:11 AM
No, that's not how it work. Only the "connected" account gets SSO.