Azure AD Conditional Access Hybrid joined OR MFA - Shows MFA (phone)

%3CLINGO-SUB%20id%3D%22lingo-sub-360236%22%20slang%3D%22en-US%22%3EAzure%20AD%20Conditional%20Access%20Hybrid%20joined%20OR%20MFA%20-%20Shows%20MFA%20(phone)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360236%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20have%20all%20our%20clients%20hybrid%20joined%20to%20be%20able%20to%20check%20for%20domain%20joined%20devices.%20I%20installed%20the%20extension%20for%20chrome%20(win10)%20and%20added%20the%20reg%20key%20for%20Windows%207%20as%20described%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Ftechnical-reference%23chrome-support%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Ftechnical-reference%23chrome-support%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20when%20using%20Teams%20and%20a%20tab%20containing%20a%20%22SharePoint%20page%22%20the%20client%20asks%20for%20MFA.%20Opening%20teams%20does%20not%20need%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20i%20digged%20a%20bit%20deeper%20and%20found%20out%20that%20chromium%20is%20used%20as%20browser%20for%20the%20tabs.%20It%20shows%20up%20as%20Chrome%2061%20in%20the%20sign%20in%20logs.%20It's%20ok%20but%20can%20you%20please%20add%20the%20%22Addin%22%20to%20this%20browser%3F%20In%20Win7%20it%20shows%20a%20popup%20where%20you%20need%20to%20select%20the%20MS%20Org%20certificate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3EStephan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-360236%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdoption%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1212986%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20Hybrid%20joined%20OR%20MFA%20-%20Shows%20MFA%20(phone)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1212986%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3Edoes%20anyone%20else%20experience%20this%20problem%3F%3CBR%20%2F%3EWe%20want%20to%20make%20%22Teams%22%20the%20Start%20of%20the%20day%20with%20tabs%20that%20open%20up%20our%20Intranet%20site%20and%20maybe%20%22Your%20Day%22%20page.%20But%20it%20still%20triggers%20MFA%20because%20it%20does%20not%20recognize%20hybrid%20join.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%3CBR%20%2F%3EStephan%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1622578%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Conditional%20Access%20Hybrid%20joined%20OR%20MFA%20-%20Shows%20MFA%20(phone)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1622578%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F533323%22%20target%3D%22_blank%22%3E%40StephanGee%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EWe%20experince%20the%20same%20issue%2C%20users%20add%20Exceldocuments%20as%20a%20Tab%20and%20they%20get%20the%20label%20showing%20that%20they%20cannot%20download%20or%20print%20the%20document%20since%20the%20policy%20think%20they%20are%20not%20on%20an%20Hybrid%20joined%20machine%20but%20they%20are.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan't%20find%20any%20solution%20on%20the%20web%20for%20this%20issue.%3C%2FP%3E%3CP%3EBR%20Niclas%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi everyone,

 

we have all our clients hybrid joined to be able to check for domain joined devices. I installed the extension for chrome (win10) and added the reg key for Windows 7 as described here:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference#chrom...

 

But when using Teams and a tab containing a "SharePoint page" the client asks for MFA. Opening teams does not need MFA.

 

So i digged a bit deeper and found out that chromium is used as browser for the tabs. It shows up as Chrome 61 in the sign in logs. It's ok but can you please add the "Addin" to this browser? In Win7 it shows a popup where you need to select the MS Org certificate.

 

Best regards

Stephan

2 Replies
Highlighted
Hi,

does anyone else experience this problem?
We want to make "Teams" the Start of the day with tabs that open up our Intranet site and maybe "Your Day" page. But it still triggers MFA because it does not recognize hybrid join.

Best regards
Stephan
Highlighted

@StephanGee 
We experince the same issue, users add Exceldocuments as a Tab and they get the label showing that they cannot download or print the document since the policy think they are not on an Hybrid joined machine but they are.

 

Can't find any solution on the web for this issue.

BR Niclas