Forum Discussion
Your Sign-in was successful but does not meet the criteria to access this resource
- Just wanted to provide an update in case anyone else is looking at this. The current theory is that modern authentication is required via conditional access policy on the government tenant where we do not have modern authentication enabled yet in the school system. I acknowledge I need to turn it on however, I’m waiting until we can verify the problem.
The government tenant admins should be able to see the attempted login, and the reason for it not being allowed.
Thanks for the idea Rob! I have some additional information at this point that may support your conclusion but wanted to double check to see if you can think of anything additional because I want to make sure we do our due diligence before trying to work across systems, which can be complicated...
- I deprovisioned all teams licensing for myself from my tenant and have MFA on, as mentioned before, and only have access that one team listed and not any of our organization's teams.
- I can use iOS mobile app successfully and everything appears to be OK.
- I get the previously mentioned prompts and failure regardless of if I use Teams through my work provided Hybrid AAD joined computer or my wife's personal computer
The fact that I can use the iOS Teams App but not the PC app on either a HAADJ or personal computer seems to point to a conditional access policy like you suggested. The only remaining piece I am puzzled by is the fact that when Teams requests my password again, the failure screen presented to contact for additional support is support page rather the one for their tenant. I would expect it to be their support contact info if it is their tenant that is refusing access rather than ours if it was their tenant preventing access. Do you have any ideas on why that might be?
One other point that I am not sure is related is Modern Authentication. The final error code seems to point to a different problem but the root cause is a failure to successfully use modern authentication. My tenant does not have that turned on at this point but I suspect the domain we are trying to collaborate with does as they have enabled MFA for all their users already. Could this be a relevant point? I am new to my architect role (just coming up-to-speed on our MS Tenant) and am reluctant to enable Modern Authentication for our entire domain without understanding the full implications to my users just to test this theory.
Finally, the only other thing I can think of to test is asking them to invite my personal account instead of my work account to see if that makes a difference however, I don't think think that would help differentiate the issue regardless of if it works or not because both cases would not change the conditional access theory. Do you think that would be a moot point like I suspect it will be?
Thanks for any additional input!
Matt
- Just wanted to provide an update in case anyone else is looking at this. The current theory is that modern authentication is required via conditional access policy on the government tenant where we do not have modern authentication enabled yet in the school system. I acknowledge I need to turn it on however, I’m waiting until we can verify the problem.
- The actual issue was not possible for me to figure out in the end since the org who owned the tenant that was sharing out the team was not able to share their conditional access policy but I shared our IP range with them and I think they added it as a known network, which changed the applicable CAPs which did allow me in.
