Apr 13 2022 09:46 AM
Apr 13 2022 09:46 AM
We're deploying our machines to Intune, using a GPO. Most of the times everything works fine, but I still have about 300 machines which didn't get into Intune, and now we're analyzing why.
After reading a bit, I've found that most of the devices which are not getting into Intune is because they are not enrolling with the user in Azure AD.
So after the machine gets into the domain, it will go to Azure AD Devices as well, as Hybrid Azure AD Joined, which is fine. But when Owner field is not populated with the user, the device will not join Intune.
Looking at those machines, and running the command "dsregcmd /status", the ones which are not ok, in the "SSO State" area, have the following error:
Server Error Code : interaction_required
Server Error Description : AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.
The users can logon to Azure AD with their MFA working fine. So any clue on how can I correct this issue?
I've read about disabling security defaults in Azure AD, but in our case, it's already disabled.
Apr 13 2022 09:59 AM
Hi, So you are running a hybrid setup and those are existing devices. You have made sure those devices are in scope of the azure ad connect instance.
You are mentioning "they are not enrolling with the user in Azure AD.". Could you explain this a little bit more? Could you also confirm if those devices are azure ad joined and domain joined when looking at the dsregcmd status. While at it , I assume the azureprt is also "yes"
*Anything in the DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
*Could you confirm the task schedules have been created
Resume: I guess we need some more info.... :)
Apr 14 2022 01:44 AM
Apr 14 2022 04:40 AM
Apr 14 2022 06:58 AM
Apr 14 2022 09:23 AM
Apr 15 2022 08:52 PM
- Ensure Modern Auth is enabled in the Org settings under admin.microsoft.com
- Disable sec defaults
- Disable the classic per user MFA and use CA policies to enforce MFA instead
- Target all users all cloud apps all devices all locations with Grant and Require MFA via CA policy
- Exclude Break the Glass accounts (max 2 Break the glass accounts are fine) from the CA policy
- Exclude SMTP accounts from the CA policy or move SMTP traffic to a third party like SMTP2GO and then create a CA policy to block legacy auth all together in the tenant
- Disable all forms of legacy auth/basic auth the Org settings under admin.microsoft.com
- see again if Devices are now auto enrolling into Intune ~300 are quite high number and there has to be a good reason
Apr 18 2022 12:56 AM
Jul 28 2022 10:17 PM
Aug 09 2023 10:31 AM