Active Directory
A set of directory-based technologies included in Windows Server.
6,235 questions
"Windows needs your current credentials..." notification after converting users to Cloud only
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 69%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Mike Gaum
45
Reputation points
We're getting rid of our local Active Directory soon and started converting On-premises synced users to Cloud only users.
I believe there are 2 ways of doing this and we chose the less recommended one by Microsoft for testing purposes since it doesn't affect all users at once.
Instead of disabling the sync between Active Directory and Entra ID, we're doing the following :
- Unsync the user in Active Directory (this deletes the user in Entra ID).
- Restore the user in Entra ID (takes about 15 minutes for everything to go back to normal for the user).
The following notification error started appearing from time to time on our devices :"Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card."
- The devices are exclusively joined to Entra ID / Intune.
- The devices are not necessarily on the same network as the Active Directory.
What we tried (without success) :
- Cleared the Credential Manager on the devices.
- Created the following Configuration Profile in Intune : OMA-URI: ./Device/Vendor/MSFT/PassportForWork/<tenantID>/Policies/UseCloudTrustForOnPremAuth
Data type: Boolean
Value: True - Disabled the following key in the registry : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Winlogon
The notification seems to show up under different circumstances from one device to another. For example, it often appears on one device when opening a Microsoft Office desktop app and almost randomly on another.
We communicated with Microsoft to help us getting rid of the following fields in Entra ID, but it can only be done for the whole tenant so we need to wait until the transition is over :
On-premises sync enabled
On-premises last sync date time
On-premises distinguished name
On-premises immutable ID
On-premises provisioning errors
On-premises SAM account name
On-premises security identifier
On-premises user principal name
On-premises domain name
I'm probably missing some information so ask away if you have any questions.