Problem joining an organization when a new user logs on to a laptop for the first time in Azure AD.

Question

When a user first logs on to a device enrolled in Azure AD (which has already been used and configured), the initial setup is blocked in the "Join the organization network" step. The session hangs and does not pass this step. After restarting the computer, it starts without any problem, after entering the login data, the desktop appears without any additional configuration.

Has anyone ever encountered a similar problem?

Answer 1

Hi @Jakub Kropielnicki

Thank you for posting this in Microsoft Q&A.

I understand you are facing issue with joining an organization when a new user logs on to a laptop for the first time in Azure AD. After restarted computer, it starts without any problem, after entering the login data, the desktop appears without any additional configuration.

Can you confirm whether your organization enabled MFA?

If your organization enabled multifactor authentication (MFA) on AAD, users would need to complete additional configuration before joining device. If MFA not enabled, it won't ask any additional configuration.

To check MFA enabled or not follow below steps:

1. Sign into the Microsoft Entra admin center as at least a Global Reader.
2. Go to Identity > Devices > Overview > Device settings.

To verify if the machine is joined to Azure active directory, open Settings, and then select Accounts. Select Access work or school, and make sure you see text that says something like, Connected to organization Azure AD.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi @Jakub Kropielnicki,

To set up MFA verification in Azure AD when joining a work device to your work or school network. Follow below steps.

1.Signin with Microsoft entra id with your Azure AD Administrator account.

2.Nagivate Identity on the left side -> Select Devices -> Overview -> Device settings.

3.Go to Require Multifactor Authentication to register or join devices with Microsoft Entra set toggle to YES then click save.

NOTE: This setting also doesn't apply to hybrid azure ad joined devices, Azure AD joined VM's in azure or azure ad joined devices that uses windows autopilot self-deployment mode.

Once the configuration of the device setting in Azure AD is verified, it’s time to have a look at the configuration of the actual Conditional policy.

1.Sign into the Microsoft Entra id.

2.Select Protection on left side panel > Conditional access > Create new policy.

3.On the Assignments section, configure the following for the different assignments.

• Users and groups: Select the users that should be assigned with this policy.
• Target Resources: Select User actions > Register or join devices to configure the action that this policy applies to.
• Conditions: If needed, configure User risk, *Sign-in risk, Device platforms or Locations as additional conditions to assign this policy more specifically to a specific scenario.

4.On the Access controls section, configure the following for the grant control.

• Grant: Select Grant > Require multi-factor authentication to require MFA for the user action.
• Session: Not applicable to the user action.

5.Set enable policy to ON. then click on save.

Hopes this helps. Do let us know if you any further queries.

Thanks,

Navya.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.