ESR settings don't sync with multi-factor authentication enabled
Original product version: Windows 10 version 1709 all editions, Windows 10 version 1703 all editions, Windows 10 version 1511 all editions, Windows 10 version 1607 all editions
Original KB number: 3193683
You have enabled Enterprise State Roaming (ESR) in the Azure Active Directory portal and on some Windows 10 clients. Any supported settings for sync, such as the desktop background or task bar position, don't sync between devices for the same user. The following events 1098 and 1097 are logged in the Microsoft-Windows-AAD/Operational event log:
Log Name: Microsoft-Windows-AAD/Operational Source: Microsoft-Windows-AAD Event ID: 1098 Task Category: AadTokenBrokerPlugin Operation Level: Error Keywords: Error, Error Computer: Win10client.contoso.com Description: Error: 0xCAA2000C The request requires user interaction. Code: interaction_required Description: AADSTS50076: The user is required to use multi-factor authentication to access this resource. Please retry with a new authorize request for the resource 'https://syncservice.windows.net/*'. Trace ID: <Trace ID GUID> Correlation ID: <Correlation ID GUID> Timestamp: 2016-03-09 01:30:38Z TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token Authority: https://login.microsoftonline.com/common Client ID: <Client ID GUID> Redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/<Client ID GUID> Resource: https://syncservice.windows.net/* Correlation ID (request): <Correlation ID GUID> Log Name: Microsoft-Windows-AAD/Operational Source: Microsoft-Windows-AAD Event ID: 1097 Task Category: AadTokenBrokerPlugin Operation Level: Warning Keywords: Operational, Operational Computer: Win10client.contoso.com Description: Error: 0xCAA90004 Getting token by refresh token failed. Authority: https://login.microsoftonline.com/common Client ID: <Client ID GUID> Redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/<Client ID GUID> Resource: https://syncservice.windows.net/* Correlation ID (request): <Correlation ID GUID>
Multi-factor authentication (MFA) is enabled, and that's why Enterprise State Roaming won't prompt the user for additional authorization.
If your device is configured to require multi-factor authentication on the Azure Active Directory portal, you may fail to sync settings while you sign in to a Windows 10 device using a password. This type of multi-factor authentication configuration is intended to protect an Azure administrator account. Admin users may still be able to sync by signing in to their Windows 10 devices with their Microsoft Passport for Work PIN or by completing multi-factor authentication while accessing other Azure services, such as Microsoft Office 365.
Sync can fail if the Azure AD Administrator configures the Active Directory Federation Services multi-factor authentication conditional access policy, and the access token on the device expires. Make sure that you sign in and sign out using the Microsoft Passport for Work PIN, or complete multi-factor authentication when accessing other Azure services like Office 365.
Microsoft is investigating how to improve the experience with Enterprise State Roaming and MFA authorization enabled on the device.
For more information, see Settings and data roaming FAQ.