Users get prompted for MFA and email

nettech 171 Reputation points
2024-09-22T18:34:05.09+00:00

Hi,

We have corp.local on prem domain and external.org for our emails. Before we flip from Exchange on prem to O365 we would like to get all SSO issues resolved.

We currently have two problems.

When users open Edge or Chrome browsers on their office (corp.local domain joined) workstations and navigate to portal.azure.com, they are prompted for user name and MFA which we would like to avoid and make it seamless.

We added external.org to our azure tenant and verified it via a DNS txt record.

On prem we added external.org as an alternative UPN suffix and updated all user UPNs using powershell scripts (https://www.alitajran.com/change-users-upn-with-powershell/)

Azure ad connect has been set up and Password Hash Sync / SSO options enabled.

All onprem user accounts have been synced to Azure, MFA was enabled on all user accounts and enforced.

To get SSO working in edge we added https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net under Site to Zone Assignment List (Ref: https://www.alitajran.com/azure-active-directory-single-sign-on/#:~:text=Sign%20in%20on%20a%20domain-joined%20computer%20and%20start,username%20or%20password%3B%20it%20will%20automatically%20sign%20in.)

To get SSO working in chrome we Enabled "Allow automatic sign-in to Microsoft® cloud identity providers" under chrome GPOs

After verifying that GPOs have been applied to logged on users we started testing and discovered that SSO does not work. Users are prompted to enter their emails and MFA but not the passwords in either of the browsers.

To bypass MFA at the office we added our public IP as an exclusion for MFA in Azure portal.

(Skip multifactor authentication for requests from following range of IP address subnets: has our Public IP in the following format xxx.xx.x.xx)

Per-user multifactor authentication-> Service Settings

Does anyone know what's missing and why users are prompted for login IDs and MFAs?

Thank you so much

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,955 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,558 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,261 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,822 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.