Share via

Users get prompted for MFA and email

nettech 171 Reputation points
2024-09-22T18:34:05.09+00:00

Hi,

We have corp.local on prem domain and external.org for our emails. Before we flip from Exchange on prem to O365 we would like to get all SSO issues resolved.

We currently have two problems.

When users open Edge or Chrome browsers on their office (corp.local domain joined) workstations and navigate to portal.azure.com, they are prompted for user name and MFA which we would like to avoid and make it seamless.

We added external.org to our azure tenant and verified it via a DNS txt record.

On prem we added external.org as an alternative UPN suffix and updated all user UPNs using powershell scripts (https://www.alitajran.com/change-users-upn-with-powershell/)

Azure ad connect has been set up and Password Hash Sync / SSO options enabled.

All onprem user accounts have been synced to Azure, MFA was enabled on all user accounts and enforced.

To get SSO working in edge we added https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net under Site to Zone Assignment List (Ref: https://www.alitajran.com/azure-active-directory-single-sign-on/#:~:text=Sign%20in%20on%20a%20domain-joined%20computer%20and%20start,username%20or%20password%3B%20it%20will%20automatically%20sign%20in.)

To get SSO working in chrome we Enabled "Allow automatic sign-in to Microsoft® cloud identity providers" under chrome GPOs

After verifying that GPOs have been applied to logged on users we started testing and discovered that SSO does not work. Users are prompted to enter their emails and MFA but not the passwords in either of the browsers.

To bypass MFA at the office we added our public IP as an exclusion for MFA in Azure portal.

(Skip multifactor authentication for requests from following range of IP address subnets: has our Public IP in the following format xxx.xx.x.xx)

Per-user multifactor authentication-> Service Settings

Does anyone know what's missing and why users are prompted for login IDs and MFAs?

Thank you so much

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,992 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,578 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,261 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,903 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 9,850 Reputation points Microsoft Vendor
    2024-10-14T20:02:28.8866667+00:00

    Hi @nettech

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    Users get prompted for MFA and email

    Solution:

    There was a misconception on the computer object sync. Once you synced computers to Azure AD email prompt went away

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.