Hybrid Azure AD join- "fix account" popup for shared experiences

ExecuteRestart66 21 Reputation points
2022-01-12T15:35:48.963+00:00

I have hybrid Azure AD join up and running,

Immediately after hybrid joining, they will get a popup that says "you need to fix your account bla bla bla" when you click that message it takes you the "shared experiences" page with a "Fix Now" button.

when you press that Fix now button, it brings you to a MFA page. Which i really don't want my users to have to do.

Note: I already have a conditional access policy configured to bypass MFA on corp network IPs. that policy is the "user action= register/join devices to azure". But I think this only applies to the actual joining process, not this shared experience mumbo jumbo.

I found this thread:

https://www.reddit.com/r/Intune/comments/ld0z71/are_there_any_impacts_with_enabling_hybrid_azure/

There is a comment that says- posted by u/theonlyredditaccount

" lease note if you have an "All cloud apps require MFA" Conditional Access policy, your users may encounter a "There's a possibility with your work or school account. Click here to fix now" notification - they'll be prompted for MFA and then it'll work. "

I do in fact have a base CA policy set for all cloud apps. I have this because there are quite a few "apps" or functions with azure I want to secure internally with MFA, but there isn't really a separate "app" for some of those functions. for example the "o365 app" in azure does not also control the "Myapps" portal. Took me awhile to figure that out.

So my question is. What "app" would I search for / exclude from this policy so that the user does not get this "shared experiences 'Fix now' " which then requires mfa? Microsoft has no documentation on this, so i have no idea how to prevent this from happening. other than disable the "all cloud apps" CA policy. I really hope the response isn't "this isnt possible" There has to be something that i can exclude from the "all cloud apps" CA policy that will fix this lame shared experiences 'fix now' needing mfa.

Side note: yes i have tried disabling shared experiences. which does in fact get rid of the pop up message, but even with shared experiences turned OFF, when you go to the shared experiences page, the 'Fix now' button is still there. which just makes me nervous that it will break something else unless you 'Fix now" and approve the mfa. Its confusing that the fix now button still appears even though the shared experiences feature is completely disabled.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ExecuteRestart66 21 Reputation points
    2022-01-13T18:14:55.357+00:00

    After countless hours of ripping my hair out, i finally solved this.

    what i did was:

    went to a machine with the "fix now" button and stupid popup saying there is an issue.

    I clicked the fix now button. MFA prompt comes up. I went to my mfa app and denied it.

    then i went to user sign in logs. and whattya know. there is a failed entry in there.

    the resource that says is being used is "Microsoft command service"

    and thank the internet lords, "Microsoft command service" is an application you can select in the CA policy. So i excluded it from the "all cloud apps" CA policy.

    went to a machine that had this stupid 'Fix now' button. did a dsregcmd /leave, deleted it from azure AD, ran a resync on AD connect, restarted machine, logged in, THE MACHINE JOINED AND THERE WAS NO MORE POPUP PROMPT. nor was there a 'Fix now' button in shared experiences.

    My posts hardly ever get any attention cause I'm new. but i feel like i did something good here. I hope I can save some fellow admins having to go through this headache.

    4 people found this answer helpful.
  2. Carlos Fernandes 1 Reputation point
    2022-12-16T13:46:53.247+00:00

    I appreciate your help with this.

    I used the same method of rejecting the authenticator request and checked the sign-in logs and it's showing these:
    Application: Microsoft Application Command Service
    Resource: Microsoft Device Directory Service

    Application: Microsoft Application Command Service
    Resource: Microsoft Command Service

    Application: Microsoft Application Command Service
    Resource: Microsoft Activity Feed Service

    So as you mentioned, we need to exclude the Microsoft Device Directory Service, Microsoft Command Service and Microsoft Activity Feed Service.

    On the conditional access policy, Cloud apps or actions, I'm searching for the above on the excluded cloud apps list but it can only find the Microsoft Device Directory Service.

    I searched the Enterprise applications and again, only the Microsoft Device Directory Service is showing.

    Does anyone know why it's not showing and how I can add to the CA exclusion list? Is there an alternative way?

    Cheers

  3. Dinesh Singh 0 Reputation points
    2023-07-10T21:30:33.1133333+00:00

    Exclude Microsoft intune enrollment MFA from all cloud apps from Azure portal