Link to home
Create AccountLog in
Avatar of doctorbill
doctorbillFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Microsoft Azure Access and App registrations

I have added an online app to Microsoft Azure as a registered app with all the appropriate permissions (which were supplied by the company that hosts the app)

MFA is enabled for all users and is working as expected - using the Microsoft Authenticator app

The online application (access Profile) has MFA enabled and the application opens when users log in with their Microsoft credentials

When users try to log into the Microsoft 365 Portal using a browser (edge/chrome)

the get the error message in the image attached below

The same error message is shown when they try to link their email accounts from the app to the online exchange ews

I have checked the 365 portal and cannot see where this error is coming from - it looks like a compliance issue but I just cannot see where this is being pulled from

The MFA settings are also set to allow access to the 365 portal from dedicated IP addresses

The machines are joined to the MS 365 Intune portal

Please DO NOT send me google links as I have probably seen most of them

I need advice from someone who has actually come across this and solved it 

User generated image

User generated image


Avatar of Jian An Lim
Jian An Lim
Flag of Australia image

you have a conditional access that limits your device to login 


or your application are do not support "device based" authentication or able to read your device information. 




goto your sign in history, and click on the conditional access tab, you will see which rule is stopping you from accessing it. 


Avatar of doctorbill

ASKER

I see the following:

User generated image


I have the Azure Security Defaults enabled at present

Can I edit these and if so, where?

Or should I disable them and create a separate mfa policy?

To be clear, is Euro London Appointments your organisation or the organisation that hosts the app?

My organaisation

The azure portal is being accessed from a remote source which is trying to access exchange on my tenant

I have registered the app being used with the correct permissions

on your entra sign in log, can you paste the error message you are facing? 


how can you have security default and MFA at the same time? you can only have 1 at the same time. 


when you say "remote source", do you means external user? or a user that that located remotely? 



can you also use cognito/private mode to open this? 


also, try to go to the enterprise apps, and see the sign in log accordingly. 

you should have a status of fail that says it cannot sign in. 

from there,  on basic information, it should says something of the error. 



also try to use a different user, for example yourself to test that. first. 



on your entra sign in log, can you paste the error message you are facing? 

There is a lot of info on the error message. What exactly am I looking for ?


how can you have security default and MFA at the same time? you can only have 1 at the same time. 

I assumed that security defaults activate MFA as well

If not, what exactly is enabled?

I can disable them and just use the MFA policy


when you say "remote source", do you means external user? or a user that that located remotely? 

The remote application. The user logs into that and tries to ageing access to the exchange account on my tenant


can you also use cognito/private mode to open this? 

No change


also, try to go to the enterprise apps, and see the sign in log accordingly. 

you should have a status of fail that says it cannot sign in. 

from there,  on basic information, it should says something of the error. 

-------------------------------

Date
28/10/2023, 18:15:27
Request ID
4a254ad5-98be-457c-abc9-6d53d9ee1100
Correlation ID
1743fa09-1a83-43b9-a472-769290a47b2b
Authentication requirement
Single-factor authentication
Status
Failure
Continuous access evaluation
No
Original transfer method
None
Sign-in error code
501314
Failure reason
Silent interrupt required to recognize browser capabilities. Used to differentiate between Safari running in iPadOS or Mac.
Additional Details
No action required, this is expected as part of determining device identities due to application or conditional access requirements.
Troubleshoot Event
Follow these steps:
  1. Launch the Sign-in Diagnostic.
  2. Review the diagnosis and act on suggested fixes.
UserUsername
s.shacklock@eurolondon.com
User ID
14d67392-6fc4-4c84-b816-6568e8f67a85
Sign-in identifier
s.shacklock@eurolondon.com
User type
Member
Cross tenant access type
None
Application
Apple Internet Accounts
Application ID
f8d98a96-0999-43f5-8af3-69971c7bb423
Resource
Office 365 Exchange Online
Resource ID
00000002-0000-0ff1-ce00-000000000000
Resource tenant ID
2f51c68e-13ac-41a4-bad2-b47733a1921c
Home tenant ID
2f51c68e-13ac-41a4-bad2-b47733a1921c
Home tenant name

Client app
Mobile Apps and Desktop clients
Client credential type
None
Service principal ID

Service principal name

Resource service principal ID
c7488a20-4d4d-4f4c-8ceb-1ad3536a6ab0
Unique token identifier
1UolSr6YfEWryW1T2e4RAA
Token issuer type
Microsoft Entra ID
Token issuer name

Incoming token type
None
Authentication Protocol
None
Latency
245ms
Flagged for review
No
User agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15


--------------------------------------------------------------------------------

also try to use a different user, for example yourself to test that. first. 

No change

ASKER CERTIFIED SOLUTION
Avatar of Jian An Lim
Jian An Lim
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer