Outlook displays "need password" authentication dialog isn't shown on Win10 Enterprise multi-session

%3CLINGO-SUB%20id%3D%22lingo-sub-1289230%22%20slang%3D%22en-US%22%3EOutlook%20displays%20%22need%20password%22%20authentication%20dialog%20isn't%20shown%20on%20Win10%20Enterprise%20multi-session%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1289230%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%20issues%20have%20been%20reported%20related%20to%20logon%20in%20Office%20ProPlus%20on%20Windows%2010%20Enterprise%20multi-session.%20One%20specific%20example%20is%20O%3CSPAN%3Eutlook%20showing%20%22need%20password%22%20however%20the%20authentication%20prompts%20are%20never%20presented%20to%20the%20user.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThis%20could%20be%20caused%20by%20VMs%20listed%20in%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22registered%22%20state.%20This%20can%20be%20observed%20in%20the%20Azure%20Portal%20-%26gt%3B%20Azure%20Active%20Directory%20-%26gt%3B%20Devices.%26nbsp%3B%3CBR%20%2F%3EVMs%20can%20get%20to%20this%20state%20when%20a%20user%20selects%20the%20%22use%20this%20account%20everywhere%22%20prompt%20from%20an%20Office%20app%2C%20this%20can%20be%20done%20by%20standard%20(non-admin)%20users%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20ways%20of%20preventing%20this%3A%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EFor%20AD%20joined%20VMs%2C%20follow%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Ffaq%23q-how-can-i-block-users-from-adding-additional-work-accounts-azure-ad-registered-on-my-corporate-windows-10-devices%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%26nbsp%3B%3C%2FA%3Eguidance%20on%20how%20to%20prevent%20the%20VMs%20from%20being%20registered.%20When%20using%20Azure%20AD%20DS%2C%20this%20is%20the%20only%20supported%20option.%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-plan%23handling-devices-with-azure-ad-registered-state%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConfigure%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ehybrid%20Azure%20Active%20Directory%20join%20for%20managed%20domains%20(preferred)%26nbsp%3B%20%26nbsp%3B%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EIf%20a%20profile%20solution%20is%20used%2C%20this%20could%20require%20a%20reset%20of%20the%20users%20profile.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegistering%20is%20supposed%20to%20be%20done%20against%20another%20tenant.%20Registering%20to%20the%20same%20tenant%20as%20the%20device%20is%20AD%20joined%20can%20cause%20issues.%26nbsp%3BWe%20are%20making%20changes%20to%20the%20Windows%2010%20multi-session%20image%20in%20the%20Azure%20gallery%20to%20prevent%20users%20from%20registering%20VMs.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

Recently issues have been reported related to logon in Office ProPlus on Windows 10 Enterprise multi-session. One specific example is Outlook showing "need password" however the authentication prompts are never presented to the user.

 

This could be caused by VMs listed in a "registered" state. This can be observed in the Azure Portal -> Azure Active Directory -> Devices. 
VMs can get to this state when a user selects the "use this account everywhere" prompt from an Office app, this can be done by standard (non-admin) users

 

There are two ways of preventing this: 

  1. For AD joined VMs, follow this guidance on how to prevent the VMs from being registered. When using Azure AD DS, this is the only supported option.
  2. Configure hybrid Azure Active Directory join for managed domains (preferred)   

If a profile solution is used, this could require a reset of the users profile.

 

Registering is supposed to be done against another tenant. Registering to the same tenant as the device is AD joined can cause issues. We are making changes to the Windows 10 multi-session image in the Azure gallery to prevent users from registering VMs. 

0 Replies