Web Sign In when domain is SAML Federated has stopped working!

AK 16 Reputation points
2022-02-21T03:31:12.38+00:00

We've been using Web Sign In for our Azure AD Joined laptops for a while now and it was working blissfully. Users did not need to enter passwords for all services related to Office365. The world was good. However, since Friday, all we are now getting is the error message (see attached screenshot):

----------

You'll need the Internet for this.

It doesn't look like you're connected to the Internet. Check your connection and try again.

----------

The odd thing about this is that the laptop is definitely connected to the Internet as the SAML bits are working - i.e. I'm redirected to our IdP where I complete the SAML authentication, but at the point where I'd ordinarily see the desktop, I instead get the error message described above. Someone on Reddit posted something similar where they are using Google as their IdP just 10 days ago. However, they stated they were able to resolve the issue - I was unable to get my environment working using their fix/workaround.

In addition, when I look at sign-in logs in Azure Portal, I see the following for my failed login:

----------

Authentication requirement:   Single-factor authentication  
Status:                       Failure  
Continuous access evaluation: No  
Sign-in error code:           130506  
Failure reason:               Access Pass must be used for Web Sign In. Contact your admin to get an Access Pass.  

----------

I've seen mention elsewhere on the Internet about configuring Temporary Access Pass (TAP). I was able to get that configured and was then able to login to the desktop. However, our SAML federation allows us to use our Passwordless solution which is now broken. Using a TAP is counter intuitive as that can be considered a password, no?

What do we need to do to get this working again?

176185-selection-00510.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,813 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Christian 1 Reputation point
    2022-02-22T09:50:07.833+00:00

    Hello, same problem here... any solution ?

    0 comments No comments

  2. VipulSparsh-MSFT 16,271 Reputation points Microsoft Employee
    2022-03-03T11:09:06.213+00:00

    @AK @Christian @Corey Roberts

    If the setup was working previously, I am assuming that there was no configurational issues that led to this issue.
    The only thing to check at this point is to make sure that the TAP is still valid.

    If you can confirm that TAP is valid and the users still see the error, it is important to check if they are able to use TAP for office 365 service. If yes, and then I can take this offline and investigate further.

    Please reach out to me at azcommunity@microsoft.com with subject "Atten-Vipul" and I will sync up with you further.

    Here is the setup which is required for this just in case anyone wants to go through it : https://www.petervanderwoude.nl/post/enabling-web-sign-in-to-windows-for-usage-with-temporary-access-pass/

    Hope it helps.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.