none
Problem with Windows 10 "Azure AD Join" if the Office 365 domain is federated.

    Question

  •   Turned on Azure AD federation to OneLogin. That enables us to have all users logging into Office 365 use their OneLogin credentials to authenticate to O365. Fair enough.

    Then I go to Azure AD join a Windows 10 laptop. As I go through the deploy/setup process for the laptop, when I get to the "Join an Azure AD" - the login prompt for OneLogin shows up! That was unexpected, I thought windows desktop login/auth wouldn't be- COULDN'T be federated. 

    I didn't think it would happen, and I was NOT surprised when it didn't work.

    But does someone have details on the impact on Windows 10 Azure AD joined machines, when the domain is federated to a third-party IdP? 


    Tuesday, April 18, 2017 3:05 PM

All replies

  • The behavior seen is expected as the domain is federated. To resolve this the 3rd party STS you should compliance as per the documentation below:
    https://www.microsoft.com/en-us/download/details.aspx?id=41185 

    Also, if you want to use automatic device registration then the STS should be able to issue claims mentioned in the article below:  
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup 
    Wednesday, April 19, 2017 3:32 PM
    Moderator
  • "the 3rd party STS you should compliance as per the documentation below"

    That link does not load. Could you send me the title/some content? I will google it and see if I can find the document. I think that even if OneLogin as an IdP works- it's not going to work during the setup of Windows...  When I am actually doing the Azure AD join, during set-up of the machine, I wouldn't think that Windows would accept the OneLogin token... I am doing an Azure AD Join.

    "if you want to use automatic device registration then the STS should be able to issue claims "...

    Can you explain what that is? Is this so that a user logs in and their device is registered? I looked up STS- but am not sure why the Security Token Service (STS) is relevant here? I am not running AD- we are cloud only/only using Azure AD. That article seems to be relevant if we are running a Windows Domain. 

    Wednesday, April 19, 2017 7:25 PM
  • Since you do not have on-prem this option will not work. Also, as you have turned on Azure AD federation to OneLogin, you would need to get authenticated - hence the OneLogin page appears.

    If OneLogin is compliance, then it will work during setup (OOBE) as well. The token from OneLogin is not for Windows it for the user trying to join the device to azure ad.

    Also, I would recommend you open a technical support ticket as you are not able to open the link we can download and send the file on mail.

    Thursday, April 20, 2017 11:42 AM
    Moderator