You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I tried testing this out using a Windows 10 Azure AD Joined PC (Virtual Machine) hosted on my local Hyper-V. However I encountered the "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator." message. This docs page indicates that is because of MFA. I followed the advised steps to exclude that cloud app from my conditional access policy for MFA. However I still faced the same issue.
I opened a support ticket. Support advised me that the client Windows 10 device that is Azure AD joined must be the physical device... Unfortunately I don't have a physical device that I can Azure AD Join right now so I can't verify this. But assuming that is the reason this document could do with calling that out as I'm sure many people are interested in this feature and would like to test it out and will likely do as I have done by going down the local VM route.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
ID: c946fe0f-e18d-2529-2fbf-bce04759fbca
Version Independent ID: 885a61d1-6096-5aa0-fe8d-f1ec8d55e542
The Windows 10 Azure AD Joined Device does not need to be Physical it can be Virtual. I've provided my feedback to Azure Support via my support ticket as this information was inaccurate.
The root cause was actually MFA. The docs page in question here does mention in the troubleshooting section that if you don't have Windows Hello for business but use MFA via conditional access then you need to exclude the Azure VM Login "App". Now I did the exclusion to our conditional access rule that implements MFA with no result. During my troubleshooting I went as far as to just turn off our conditional access rule all together, which should have resulted in no more MFA. However MFA still remained enforced. This lead me down a path that resulted in realising that our org implemented MFA before conditional access was GA. We initially used the per user Office 365 method to enforce MFA. This is still on and enforced and was the reason conditional access was being overridden. For anyone interested there is a page on this topic here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#convert-users-from-per-user-mfa-to-conditional-access-based-mfa
I might see if I can suggest a edit to the page in question on this ticket to see if we can put a note to help anyone else who will get stuck if they have the same old settings applied.
danijam
changed the title
Clarification that the Windows 10 PC must be physical
Per User MFA overriding conditional access MFA. "The sign-in method you're trying to use isn't allowed."
May 3, 2020
I tried testing this out using a Windows 10 Azure AD Joined PC (Virtual Machine) hosted on my local Hyper-V. However I encountered the "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator." message. This docs page indicates that is because of MFA. I followed the advised steps to exclude that cloud app from my conditional access policy for MFA. However I still faced the same issue.
I opened a support ticket. Support advised me that the client Windows 10 device that is Azure AD joined must be the physical device... Unfortunately I don't have a physical device that I can Azure AD Join right now so I can't verify this. But assuming that is the reason this document could do with calling that out as I'm sure many people are interested in this feature and would like to test it out and will likely do as I have done by going down the local VM route.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: