SOLVED

Your Sign-in was successful but does not meet the criteria to access this resource

Brass Contributor

I was Ignite for the first time and an MVP, Chris is memory serves, suggested I post this here because he had not heard of this kind of an issue before.  The end result we are looking for is for a public school director needs to access a team as a guest in you local government's tenant.  She receives and accepts the invite successfully in our tenant and the logon is added to the drop down in the upper right corner like you would expect.  She has a teams license in our tenant and is a member of our pilot team as well as a volunteer organization's team that she is a member of.  When she hits the drop-down list and select's our local government's option she is prompted to logon again.  I am not sure if I redacted too much but there is a screen cap of it in the top part of the inserted pic at the bottom along with the two following prompts.  LMK if I took too much data out...

 

  • Anyway, some other tidbits that may be useful are that they use MFA where we do not for everyone. 
  • Both her and I have access to the same team and both have the same issue, even though I have MFA turned on.
  • The last page has some data that might be useful and is included at the bottom.  My main takeaway there was error code 4c7, which may point to modern authentication.
  • She is using the Teams app and has the same results both at home and school.
  • The MVP I spoke with suggested there might be a strange interplay between our EDU tenant and what our local government is using, perhaps GCC.

Thanks in advance to anyone who can point me in the right direction etc!

 

Three prompts after selecting the guest account in the upper-right drop downThree prompts after selecting the guest account in the upper-right drop down

If that doesn't work, try signing out and back in.

 

desktop-…

Error code - 4c7

There's a more permanent way to sign in to Microsoft Teams. If you're having trouble completing the process, talk to your IT admin.

6 Replies
It sounds like the government tenant has a Conditional Access policy that is configured to apply to guests, and that is why the user is unable to login to their tenant.

The government tenant admins should be able to see the attempted login, and the reason for it not being allowed.

@Rob Ellis 

Thanks for the idea Rob!  I have some additional information at this point that may support your conclusion but wanted to double check to see if you can think of anything additional because I want to make sure we do our due diligence before trying to work across systems, which can be complicated...

  • I deprovisioned all teams licensing for myself from my tenant and have MFA on, as mentioned before, and only have access that one team listed and not any of our organization's teams.
  • I can use iOS mobile app successfully and everything appears to be OK.
  • I get the previously mentioned prompts and failure regardless of if I use Teams through my work provided Hybrid AAD joined computer or my wife's personal computer  

The fact that I can use the iOS Teams App but not the PC app on either a HAADJ or personal computer seems to point to a conditional access policy like you suggested.  The only remaining piece I am puzzled by is the fact that when Teams requests my password again, the failure screen presented to contact for additional support is support page rather the one for their tenant.  I would expect it to be their support contact info if it is their tenant that is refusing access rather than ours if it was their tenant preventing access.  Do you have any ideas on why that might be?

 

One other point that I am not sure is related is Modern Authentication.  The final error code seems to point to a different problem but the root cause is a failure to successfully use modern authentication.  My tenant does not have that turned on at this point but I suspect the domain we are trying to collaborate with does as they have enabled MFA for all their users already.  Could this be a relevant point?  I am new to my architect role (just coming up-to-speed on our MS Tenant) and am reluctant to enable Modern Authentication for our entire domain without understanding the full implications to my users just to test this theory.

 

Finally, the only other thing I can think of to test is asking them to invite my personal account instead of my work account to see if that makes a difference however, I don't think think that would help differentiate the issue regardless of if it works or not because both cases would not change the conditional access theory.  Do you think that would be a moot point like I suspect it will be?

 

Thanks for any additional input!

 

Matt

best response confirmed by Busted1942 (Brass Contributor)
Solution
Just wanted to provide an update in case anyone else is looking at this. The current theory is that modern authentication is required via conditional access policy on the government tenant where we do not have modern authentication enabled yet in the school system. I acknowledge I need to turn it on however, I’m waiting until we can verify the problem.
The actual issue was not possible for me to figure out in the end since the org who owned the tenant that was sharing out the team was not able to share their conditional access policy but I shared our IP range with them and I think they added it as a known network, which changed the applicable CAPs which did allow me in.

@Busted1942 sounds like the tenant admins need to have a policy that better allows guests, it's not really viable to predict or list guests IP addresses.

 

@Steven Collier 

 

we solved this issue,

we did not have enough licenses for additional team members

1 best response

Accepted Solutions
best response confirmed by Busted1942 (Brass Contributor)
Solution
Just wanted to provide an update in case anyone else is looking at this. The current theory is that modern authentication is required via conditional access policy on the government tenant where we do not have modern authentication enabled yet in the school system. I acknowledge I need to turn it on however, I’m waiting until we can verify the problem.

View solution in original post