Windows Accounts Google Chrome Extension
Hi, I am unsure if it is the right platform to ask this question, Please move the question to the right place if it's not. Our Azure AD team recently installed the following extension on Google Chrome for Windows machines. https://chrome.google.com/webstore/detail/windows-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji Around 10 million installation mention on Google for this extension. and it was working fine until last week our security team asked us to uninstall the extension from all the machines as they are suspecting that extension is not legit. I would like to ask if this extension is really from Microsoft or a third party as I can see the developer email is from Microsoft.com, any thoughts or comments? Thanks,
AADSTS75011 by which the user authenticated with the service doesn't match requested authentication
We're experiencing problems with a certain application that we've registred in Azure. Sorry, but we're having trouble signing you in. We received a bad request. AADSTS75011 by which the user authenticated with the service doesn't match requested authentication method 'Password Protected transport' Situation: user logs in (Citrix-environment) IE11 is auto-started. Default startpage = our intranet on SharePoint Online (at this moment SSO kicks in and the user will be logged in automatically in office.com / SharePoint Online) User starts new tab in IE11, navigates to the application's login-url (external SaaS application) and poof; the error shows up When user starts Chrome at this moment and navigates to the application's login-url again, he WILL be logged in automatically. The software-developer says it has something to do with our Azure settings or Windows environment, but we have a lot more applications registred the same way where this error never occurs. Does anyone have a clue on how to fix this? It looks like the SaaS application does not accept Windows Integrated authentication?
Azure AD Seamless SSO and Chrome
We've setup Azure Seamless SSO with password sync. We've created a few test computers, and user accounts. Outlook, Skype for Business (prompts for username but not password) IE, Edge work well, Chrome does not. Chrome always prompts for username and password. I've followed all steps here, including adding in sites to local intranet zone. https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-quick-startHTTP ERROR 401 - This page isn’t working right now. However, google Chrome works fine.
Hello all, I am currently getting a HTTP Error 401 message in Edge (Beta). It only happens when trying to authorise via ADFS, Azure AD authorisation is working as expected. When I try the same operation in Google Chrome, everything is working as expected (see pic). I have completed the following: Cleared browser history. Cleared password history. Removed any relevant entries from credential manager Renewed my certificate. Only other relevant info I can think of is that I changed my password at some point last week. Many thanks in advance.ADFS SSO sign-in as different user
We have federation configured with Azure AD using ADFS with SSO enabled. This is working as expected. However, one slight issue for the admin team who are required to sign-in using different privileged credentials, different from their regular user account. Problem is ADFS SSO is automatically signing-in the user as the account logged-into Windows. E.g. 'User runs a PowerShell command --> Authentication prompt comes-up --> user enters their privileged ID (different from their regular account) --> User enter their password --> user sign-in as their regular account rather than the privileged account they used at the sign-in screen". Is there a workaround for this issue other than using a non-domain joined laptop?Private Network is currently disabled in my tenant
Hi All, I am interested to test the Entra ID private access, but when I go to the connectors, it shows as "Private Network is currently disabled for your tenant.". Does anyone knows what is the reason for this and How should I overcome this? Thanks in advance, DilanAADSTS75011 Error on Edge (Azure AD Joined machines)
I have just setup SSO for a new enterprise application. On AzureAD joined machines, it works in Chrome and Edge InPrivate mode. In normal edge, we get the following error: AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. I have read about adding the following to SAML request but this is not possible with the vendor currently: 'authnContextClassRef' : false This only affects AzureAD joined machines on Edge. When I test from a Hybrid joined machine there is no such issue. Is there any way to resolve this from the Azure side?
Excessive MFA prompts for a specific user
One specific user in my tenant is prompted for MFA multiples times/day. Our conditional access policies specify that a user must re-authenticate every 90 days with MFA. All other users do not get prompted daily without a new risk factor like new device/unknown IP address. I have tried the following: Re-registered authentication methods and revoked previous multifactor auth sessions. Enabled Multifactor Authentication in Security Defaults for this user (Rather than conditional access) Exempted this user from the standard CA policy, and created a new one. None of these steps have helped. Microsoft support was no help. Some other information: This user uses 1 to 2 IP addresses throughout the week. (Home and office) This user is using the same devices every day. We have replaced the devices and issue persists. There are at least 1, up to 5 prompts daily. No other users are experiencing this issue, and MFA behaves as expected. Azure Identity Protection lists the risk for this user as none. Zero risk detections within the last 90 days. Any suggestions are appreciated.
Azure AD Joined device and authenticate on-premise AD.
Hi, I'm working on a new Workplace configuration based on Windows 10, Azure AD and Intune. Users should be able to Join their Windows 10 device to Azure AD and auto-enrolled to Intune. So far so good. We still are in transition migrating our date to SharePoint, so users should have access to the data shares, unfortunately, the first time after the users logs in (after joining Azure AD during oobe wizard), they have no access to the on-premise shares. However, after the second logon, the users has access to the shares. I guess there is no kerberos ticket to authenticate againt the on-premise AD after first time log on. I wondering if this is normal behaviour, or should this normall worked the first time?
UPN Mismatch between Local AD and Azure AD (Entra ID) impact on user sign-ins and SSO?
Hello Smart people, I have a Active Directory domain to be synced with Entra ID. This Entra ID tenancy though, is already exists and users are created. There are two different UPNs in current environments. Local AD - user1@company.com.nz Azure AD - user1@company.com Local AD doesn't have any Suffixes configured. email address removed for privacy reasons is the email address of Local AD account properties where as UPN is email address removed for privacy reasons. So there's a mismatch of the two UPNs. My question is, as this issue will have a major impact on user sign-in/SSO due to this mismatch, what's the best way to overcome this ? Do I have to add the suffix company.com in AD and change on-prem user UPNs with that suffix and then sync? Is there any better ways to deal with this? Any ideas/inputs are greatly appreciated. Thank you! Kev
