Azure AD joined devices are prompted for their password, signing in to https://portal.office.com/

New Contributor

Hi Guys,

 

At this moment we are trying to migrate our environment to a Microsoft365-only environment.

 

We are running into a problem where Azure AD joined devices are prompted for their password while signing in to websites like https://portal.office.com/ or https://myapps.office.com/. We would like to accomplish that when users fill in their username, the Azure AD password is being used automatically and the users is signing in without password.

 

Our AD is synced to AzureAD using AAD Connect (Password Hash sync & SSO). I disabled MFA for a testuser, but the issue persists.

 

Anyone has an idea what is going on?

Thank you in advance!

 

Regards,

Paul

7 Replies
Are you devices AAD Joined or are they also joined to to local domain => Hybrid Azure AD Join?
The devices are AAD joined (no hybrid) and are not able to connect to the server/AD VLAN anyway.

Is the user logged in with their Azure AD credentials? And what does dsregcmd /status show? More specifically, what's the value for AzureAdPrt? You can learn about troubleshooting such scenarios here: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd

@Vasil Michev 

Users are indeed logged in with their Azure AD credentials. Looks like the AzureAdPrt settings are OK:

 

+----------------------------------------------------------------------+
SSO State 
+----------------------------------------------------------------------+

AzureAdPrt : YES
AzureAdPrtUpdateTime : 2019-11-14 11:59:52.000 UTC
AzureAdPrtExpiryTime : 2019-11-28 16:48:11.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/1b32xxxx-xxxx-xx-xx-xxxx
EnterprisePrt : NO
EnterprisePrtAuthority :

And you still get asked for password? Are you using Edge? Chrome needs additional add-ins to support SSO via PRT.

@Vasil Michev 

It doesn't work in IE as well as in Edge. We are able to choose for the account 'Connected to Windows'. This works. But when users choose for 'Use another account' and fill in our username manually, the password should not be asked.

No, that's not how it work. Only the "connected" account gets SSO.

www.000webhost.com