What does disabling an Azure AD device actually do?
In a AAD only org, with Windows 10 Enterprise computers all Azure AD joined and managed by Intune, exactly what does "disabling" the device via the AAD Portal -->Devices-->Select a device-->Disable do? It seems to have absolutely no impact on our devices' abilities to continue to login to AAD, and access Office 365 apps/services, for example. Perhaps I naively assumed that disabling a device actually meant that it would be disabled in the sense that you couldn't login to your org via AAD login, or, even if you were, you wouldn't be able to do anything that required AAD - which in my mind includes Office 365. Am I mistaken? Thanks, Bob
AADSTS75011 by which the user authenticated with the service doesn't match requested authentication
We're experiencing problems with a certain application that we've registred in Azure. Sorry, but we're having trouble signing you in. We received a bad request. AADSTS75011 by which the user authenticated with the service doesn't match requested authentication method 'Password Protected transport' Situation: user logs in (Citrix-environment) IE11 is auto-started. Default startpage = our intranet on SharePoint Online (at this moment SSO kicks in and the user will be logged in automatically in office.com / SharePoint Online) User starts new tab in IE11, navigates to the application's login-url (external SaaS application) and poof; the error shows up When user starts Chrome at this moment and navigates to the application's login-url again, he WILL be logged in automatically. The software-developer says it has something to do with our Azure settings or Windows environment, but we have a lot more applications registred the same way where this error never occurs. Does anyone have a clue on how to fix this? It looks like the SaaS application does not accept Windows Integrated authentication?
Azure AD Conditional Access - Require Domain Joined Device
Does the ‘Domain Join’ checkbox in Azure AD Conditional Access require Azure AD Domain join, or does it mean on-premises Domain Join? The attached screen shot says ‘Not Azure AD Domain Join’ but the documentation shown in the screen shot seems to contradict this.
Guest Users - Clean Up
Does anyone have any experience with policies and planning for cleaning up guest users? We want to make sure that when guest users leave their company we can make sure they no longer have access to our Teams? Is there an audit process or a expiration process for guest users? Thanks!
Disable Windows Hello AND Remove Existing PIN
Previously, after setting up Windows for an Azure AD user, it would give me a prompt saying that my organization requires a PIN for Windows Hello. I would hit next, then close the dialog asking for the PIN, and it would say there was an error or something, I'd hit OK and I'd be in Windows with no further Windows Hello harassment until I restarted. Once I got the device enrolled in Intune, it would apply the policy I have a policy that disables Windows Hello. However, a recent update to Windows seems to have made it impossible to bypass setting up a PIN. Because I can't enroll the device in Intune during the Windows Setup, the disable policy doesn't apply until after the PIN is established on the account. Once the PIN is set up on a Windows Account, it is not removed when Windows Hello is disabled via Intune/GPO, and it is seemingly impossible to remove manually. The only lead I've been able to find is to delete this folder: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC\. However, Windows simply is not letting that happen, even after taking full ownership of the folder as a local admin. My only workaround is to first setup the device authenticating with my own account which will have the PIN. Then enroll in Intune with the user's account to their policies applied and Hello disabled. Then create the local admin account. Then add the users account. Then log into the local admin account and delete my account. Finally, log into the users account to create shortcuts and do QA. We use Bitlocker with a PIN that effectively does the same thing as Windows Hello with a PIN, except it also encrypts the disk. So I really don't see what it brings to the table besides a redundant password for users to memorize and extra help desk work when they forget it? How do I get devices configured without adding a bunch of work to get around Windows Hello?
