Computers using M365 authentication only, will not recognize Admin accounts for permission approvals

Glen Palmer 0 Reputation points
2024-10-08T18:17:10.67+00:00

I hope the subject makes sense, but we have started transitioning computer users in our company to M365 logins instead of maintaining a separate AD for it. So, they are now authenticating against the default Azure AD used by M365.

On a new computer, the user logs into it/Windows with their M365 User account. Everything is fine with the end-user on the computer. They can use it day-to-day normally.

Where we have an issue is when they do something that requires Administrator permissions (ie install software). They ask me for help (I am an Admin for our tenant) and I enter my M365 login (email/password) but it says the user or password is incorrect. I have verified the password is correct many times, but this keeps happening and we don't know why.

When a user logs into a computer or account via M365, it essentially joins it to the Azure AD network. So then why is it not able to verify that I am an admin for the tenant? This has been going on way too long and with too many people to not hit Microsoft's radar by now. The only way we can fix it/get around it is to setup a local admin account on the computer before giving it to the person, or domain joining it back to our old private AD and using those admin accounts.

This should be a cakewalk, but I don't know why it is failing. Does anyone have some insight on this issue?

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,310 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,735 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
10,184 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,521 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 26,116 Reputation points Microsoft Employee
    2024-10-08T19:25:01.32+00:00

    Hi @Glen Palmer , make sure that the devices are properly joined to Azure AD. Sometimes, devices might not be fully registered, causing authentication issues. You can verify this in the Azure AD portal under "Devices."

    Double-check that your admin account has the necessary roles assigned in Azure AD. You should have roles like "Global Administrator" or "Intune Administrator" to perform administrative tasks.

    When users log in with their M365 accounts, they might not have local admin rights on the device. You can configure this by adding the admin account to the local administrators group on the device. This can be done via Intune policies or manually.

    Review any Conditional Access policies that might be affecting admin logins. Sometimes, these policies can inadvertently block or restrict admin access, and verify MFA is not causing issues with admin logins. Sometimes MFA prompts can interfere with the authentication process.

    If you're using password hash synchronization, check that the passwords are correctly synced between on-premises AD and Azure AD.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.