Web sign-in on Windows 11 Pro device not working with Google federated MS 365 credentials

Administrator 0 Reputation points
2024-05-16T22:14:41.6733333+00:00

Hi all,

I am new to IT administration with no prior experience in the field. My organization has tasked me with enrolling all of our Windows devices into an endpoint management solution and configuring them. I am experimenting with one Windows device so before configuring all the computers at my org.

I have added "enable web sign in" and "configure web sign in allowed urls" configuration policies in the Microsoft Intune Admin Console and pushed the changes to the device I am experimenting with. Web sign-in is now an option on the device.

When a user attempts to log-in with their federated credentials on the Microsoft log-in screen, they are then re-directed to Google for sign-in. No problems so far. The issue is that after they are authenticated by Google, they are re-directed to an "Action Required" Microsoft page. Pressing the next button then produces an error that says: "We can't open that page right now. For security reasons you'll need to visit the page from a browser or a different device. If you think you've reached this page because of an error, tell you organization's IT support that you can't access https://mysignins.microsoft.com/api/post/registrationinterrupt".

I tried adding the previous URL to the "configure web sign in allowed urls" compliance policy on Intune. I previously resolved that same error with a different URL by adding it to the Intune policy. I suspect that what Microsoft is trying to do is get the user signing in to register into Microsoft Authenticator for MFA but the Intune policy has not set permissions to allow the visiting of whatever web page in web sign-in. Logging-into any MS site via a browser with the same credentials immediately works after Google authentication.

Wondering if anyone that has ever configured web-sign in on Windows for their organization with federated Google credentials has encountered this issue before. Thank you for your help.

Screenshot 2024-05-16 at 3.10.49 PMScreenshot 2024-05-16 at 3.11.01 PM

Screenshot 2024-05-16 at 3.11.11 PM

Screenshot 2024-05-16 at 3.11.19 PM

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,087 questions
Windows 365 Business
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,614 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,573 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,094 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 16,931 Reputation points Microsoft Employee
    2024-05-17T08:31:09.7466667+00:00

    @Administrator

    Thanks for your time and patience. I was able to validate this and have following suggestions for your:

    1. Ensure that you have used OMA URI with custom policy and not service catalog policy:

    To protect your environment and prevent Web Sign-in and above-lock PIN reset outages, you must deploy the ConfigureWebSignInAllowedUrls MDM policy via acustom OMA-URI settingas follows

    ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls = first.federated.domain.com;second.federated.domain.com

    1. Login with admin account and look forShell-Core\Operational log

    CloudExperienceHost Web App Event 2. Name: 'NavigationBlocked', Value: '{"uri":"https://accounts.google.com/..."}'.

    1. Try enrolling to MFA and setting up Authenticator app for the test user before testing the web sign in. Once done then try to repro the issue again. This would confirm if the issue were related to MFA enrollment and not due to Intune policy.
    2. Also validate if device is Entra ID joined with Windows 11, version 22H2 with 5030310, or later as Web sign-in is not supported for Microsoft Entra hybrid joined or domain joined devices.

    If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik