Forum Discussion
Powershell MSOL and hybrid domain joined
Since we have a conditionnal access control requiring domain joined device and mfa to access azure management..when we are using powershell it seems like powershell cannot recognize the device as domain joined and access is blocked due to the domain joined access control after mfa is performed. Any idea why?
hmm, actually I can not reproduce this.
My device is AAD hybrid joined and we have CA policy requiring hybrid joined devices and another one basically blocking "other clients" aka basic authentication. What are your AAD Sign-In Logs saying exactly .. or the Windows Application and Services - AAD logs?
My machine:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+AzureAdJoined : YES
with a valid PRT:
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+AzureAdPrt : YES
AzureAdPrtUpdateTime : 2020-04-15 05:58:26.000 UTC
AzureAdPrtExpiryTime : 2020-04-29 12:26:36.000 UTC
and I can successfully connect to Azure AD using the Connect-MsolService cmdlet.Actually using "Manifest 1.1.183.57 MSOnline"
Maybe you have to update the module installed, aka C:\> Update-Module MSOnline
hth,
Claus
- Hi,
Did it work before at all? It’s tough to guess without sharing the setting for Conditional Access.
Are the pcs hybrid join or only Azure AD? If hybrid joined, you have to sync the PCs to the cloud in order for CA to work as expected.
Thanks!
Moe hmm, actually I can not reproduce this.
My device is AAD hybrid joined and we have CA policy requiring hybrid joined devices and another one basically blocking "other clients" aka basic authentication. What are your AAD Sign-In Logs saying exactly .. or the Windows Application and Services - AAD logs?
My machine:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+AzureAdJoined : YES
with a valid PRT:
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+AzureAdPrt : YES
AzureAdPrtUpdateTime : 2020-04-15 05:58:26.000 UTC
AzureAdPrtExpiryTime : 2020-04-29 12:26:36.000 UTC
and I can successfully connect to Azure AD using the Connect-MsolService cmdlet.Actually using "Manifest 1.1.183.57 MSOnline"
Maybe you have to update the module installed, aka C:\> Update-Module MSOnline
hth,
Claus
- AzureAdPrt was the problem, fixed it and everything was working afterwards. Thank you for pointing me in the right direction!
Claus Witjes I have the same issue, device is Hybrid Azure AD joined and has AzureAdPrt : YES. I tried to connect via powershell using Msol module or ExchangeOnline module (3.0.1) without success. Conditional Access enforce MFA (CA has in grant setting MFA or hybrid azure ad join, scope all cloud app) In Azure AD sign in there is in powershell connection Device ID is empty
