question

SoulStrider12345-6087 avatar image
0 Votes"
SoulStrider12345-6087 asked LuDaiMSFT-0289 commented

Federated Account can't Login to InTune Device, however a 365 account can

Hello,

For some background, we have a federated domain and a SSO setup with Duo. It is AD sync with Azure however it is not a Hybrid Azure AD setup.

I have been playing around with InTune for the past week or so, the plan is to get it set up so when we add a device to InTune (via the hardware hash) it will automatically assign it the right profile and when we enter the OOBE it will then ask for a work account, so when the user signs in it will apply all the necessary profiles and applications for that user.

My issue lies when the OOBE asks for a work or school account, If I enter a Domain account first.last@work.group it says something along the lines of
"Your organisation doesn't allow users to set up Windows this way. Use another email address or set up Windows with a local account"
however, if I was to sign in with a unlicensed 365 account (not an account on the domain) it logins in just fine, no issues, this then enrols the device also.

I then tried to sign out of the device and sign back in again with my first.last@work.group account but it just says
"Incorrect Username or Password. Try again"

I've been trying to figure this one out for the last couple of days but I can't seem to get anywhere.

Any help would be greatly appreciated

Thanks!

Edit: Changed some wording


Okay, so I have an update!

I checked with the other guys who originally setup the tenant and they never setup the MDM DNS records which I have now done.
How I am getting the company branding (Logo and Company) appear when I go through the OOBE however, my next issue is when I try to login with a user account that is On-Prem I get the error:

"we didnt find that email address in your organisation

I tried all the usernames i could think of:
first.name@company.onmicrosoft.com
first.name@company.group (our actual UPN)
first.name@companygroup.co.uk

But none of them seem to work, however the O365 only accounts work fine still.

EDIT: Update to my situation

mem-intune-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered LuDaiMSFT-0289 commented

@SoulStrider12345-6087 Thanks for posting in our Q&A.

To clarify this issue, did you use the autopilot method to enroll the device? If yes, please refer to the following link to check the steps:
https://docs.microsoft.com/en-us/mem/intune/enrollment/tutorial-use-autopilot-enroll-devices

If there is anything update, feel free to let us know.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The idea is that when we get a device we add it to InTune via the powershell script so when the device boots up for the first time, the user can login and it will setup the device per that user.

The issue lies allowing on-prem sync accounts to login to InTune devices. The account are sync'd via AzureAD connect.

0 Votes 0 ·

Okay, so I have an update!

I checked with the other guys who originally setup the tenant and they never setup the MDM DNS records which I have now done.
How I am getting the company branding (Logo and Company) appear when I go through the OOBE however, my next issue is when I try to login with a user account that is On-Prem I get the error:

"we didnt find that email address in your organisation

I tried all the usernames i could think of:
first.name@company.onmicrosoft.com
first.name@company.group (our actual UPN)
first.name@companygroup.co.uk

But none of them seem to work, however the O365 only accounts work fine still.

0 Votes 0 ·

Are you using an account that exists in Azure AD (that has been synced by Azure AD Connect). You can copy a login from http://aad.portal.azure.com/ and make sure it has an Intune license, and Azure AD Premium license assigned to the user.

0 Votes 0 ·

Good Morning,

Thank you for your reply.
Went to the Azure portal and looked for my account which is there and doubled checked the license.

We use Microsoft 365 Business Premium which includes Azure Active Directory Premium P1 and both inTune licenses.
100058-image.png

100100-image.png


Yet it still wont let me login to the device. I've tried it again this morning and its got the company name on the screen, however if I type in my old companies login it takes me to there sign in page.

Not to sure what's happening here.


Cheers.

0 Votes 0 ·
image.png (7.9 KiB)
image.png (4.5 KiB)
Show more comments
NickHogarth-MVP avatar image
0 Votes"
NickHogarth-MVP answered SoulStrider12345-6087 commented

Are you sure the device has been registered in Autopilot and it has an assigned profile? It seems like it isn't at the OOBE for Autopilot. It should say something like "Welcome to <organisation>" then you authenticate. If then you entered account details that don't belong to your domain, you should get an error. Yours seems the opposite and you're joining with a different workplace account. Can you take a screenshot?

· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your reply.
I have checked the device status under Devices -> Enrol Devices -> Windows Autopilot Devices there is only one laptop there and that is the laptop I am currently on.

I have assigned it a group tag which is set to a dynamic group in AzureAD which then assign its the profile. The profile status is assigned.
When I boot up the laptop and go through the OOBE, it asks for the WiFi details.

What would happen next is it would ask if it is a Work or a personal device and check how you want to set it up, this time however it asks you to login with an account.

The issue lies when I try to login with the accounts, if the account is a On-Prem account that is synced with AzureAD using the connector it says

"Your organisation doesn't allow users to set up Windows this way. Use another email address or set up Windows with a local account"

However, if I use an account that was created within O365 it allows me to login right away.

0 Votes 0 ·

It isn’t picking up the Autopilot profile. Have you tried reimaging the device? Are you sure the hardware hash was exported correctly? Have you configured Intune auto enrolment and are there any Intune enrolled to restrictions that are blocking Windows 10 from enrolling?

0 Votes 0 ·

I haven't tried reimaging the device fully yet.

The device was added to InTune via the powershell script Get-WindowsAutoPilotInfo.ps1 which grabs it all from the machine and uploads it with the group tag I specifiy in the command.

These are the settings from the InTune autoenrollment page:
99818-image.png

There are no restrictions that I'm aware of, I set this all up from scratch and wanted to get it working before I started to place restrictions.


0 Votes 0 ·
image.png (36.2 KiB)
Show more comments