Introduction:
If you want to allow corporate domain joined windows 7 computers (ONLY)to access office 365 services and block personnel windows 7 devices ,you must implement Device based conditional access. Device based conditional access ensure that your users are accessing your resources from devices that meet your standards for security and compliance . Following is the screenshot from Device based conditional access with hybrid Azure AD joined devices.
To achieve hybrid azure AD Join (AAD),you need to use workplace join utility that help to perform registration of Windows domain joined computers with Azure AD .To register domain joined computers running Windows 7, Windows 8.0, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2, a Windows Installer package (.msi) is available for you. Download Microsoft Workplace Join for non-Windows 10 computers from https://www.microsoft.com/en-us/download/details.aspx?id=53554
For more information about How to configure hybrid Azure Active Directory joined devices https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup
Problem:
I am going to talk about issue that we hit on windows non-windows 10 computers recently. We got few incidents from users that cannot activate proplus ,access issue to teams,onedrive and other o365 applications, following error message appeared.
The following error message is very common .This occur If the device that user trying to access o365 do not pass conditional access.
Solution:
To get this issue solved, the first thing to do is ,is the workplace join successfully done or not .how do you check that ?
Open the command prompt ,change the directory to C:\Program Files\Microsoft Workplace Join and run AutoWorkplace.exe /i
if you see the following screen then the device is hybrid azure AD join or at least the workplace join did its job to create certificate and pass it over to azure AD . Even with the following screen ,if user unable to access the applications, then the issue could not be related to workplace join .
On the problem PC, user see this image with error code ‘an error occurred when trying to join your device to your organisation workplace’ with registration service authentication URL.
‘The registration service could not successfully authenticate your account. Please make sure you are logged in with your active directory domain account and try again.’
what could go wrong with above error message ? Following are the possible solutions i tried.
1. Check if user configured MFA (if enabled for user).If MFA enabled but not configured ,take the above URL and open it in IE that will help to give option ‘set up now’ .If you dont get MFA option ,then read the solution given below.
2.Is the device connected to corporate network
3.is SSL 2.0 and 3.0 disabled in IE advanced configuration (have seen issues with enabling ssl 2.0 and 3.0 hence i found disable these works fine).
User passed all above checks but still could not get it working.
After checking the IE configuration settings, found that, user has the following security setting in local intranet Zone.
When the workplace join tool runs ,it follow the above user authentication settings to create certificate which is failing here.
With above setting ,workplace join is expecting user to pass on the credentials which is silent in the background and is failing always.
Change the setting to ‘Automatic logon only in internet Zone’ or ‘Automatic logon with current user name and password’
After you choose the setting ,click ok and close the IE .Now go back to command prompt and run the same command again ,this time it goes through without any error.
Why this setting is not set through GPO to solve issues with this type ? don't ask me this.
I will write another blog post to list down all possible workplace join related issues that i come across during the last few months ,will help you to get some insights.
Until next!
4 Comments
Great article along with your Hyrbid Azure join for Win7. We are using Okta to authenticate to O365, so when a Win7 device tries to authenticate , we get the "The registration service could not successfully authenticate your account. Please make sure you are logged in with your active directory domain account and try again" error, because of course the device has no account with Okta. Any ideas on how to get around that?
Hi,
Are you still experiencing the issue ? are you not using azure MFA ? if not , make sure the MFA already set using Okta and the necessary integrations are done with Okta on office 365 for MFA.
Thanks,
Eswar
Nice article. We also had issues with URI during work place join when using ADFS for authentication. We were missing the claims rule:-
c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"] => issue(claim = c);
https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup
Another gotcha... Device registration is per user for Workplace Join so ensure this Intune policy is set to All:-
“Users may register their devices with Azure AD”
The above MS link was gold dust when we were setting it up for Windows 7
Thanks for the blog Eswar 👍
yes thats true and glad you liked it. Getting domain joined computers into azure AD is pain unless you configure the ADFS claims correctly with all proxy configurations.
Regards,
Eswar