Jump to content

Windows Hello for Business/Autopilot - PIN Creation - Auth Loop with WS1 Access


spg123
Go to solution Solved by Sascha Warno,

Recommended Posts

Hello,

We’ve been experiencing an issue with Autopilot for the past month or so. Initially, authentication works fine, but when it comes to creating the Windows Hello for Business PIN, it redirects to our On-Premise Workspace ONE Access instance instead of the Microsoft side, where we used Microsoft Authenticator.

I’m not sure why this change occurred, but Workspace ONE Access gets stuck in an authentication loop during PIN creation. After clicking “Skip for Now” following the error, I can still access the Desktop and authenticate to Intelligent Hub, Microsoft 365 via Edge, Office apps, etc. However, attempting to create the PIN through Settings > Accounts > Sign-in Options > PIN (Windows Hello) results in the same error.

From an existing enrolled Windows device, if I click Settings > Accounts > PIN (Windows Hello) > “I forgot my PIN,” it does the same thing.

Does anyone have any idea what could cause the Windows Hello for Business PIN to redirect to our Workspace ONE Access On-Prem (which is federated with M365)? I actually wanted this setup, and if it could work, that would be perfect. We have always had SSO for Microsoft 365 set up this way but it never did it for Windows Hello for Business PIN creation.

Thanks!

1 Auth Loop.png

2 Auth Failure.png

3 PIN Setup Failure.png

Edited by spg123
Added more info about setup
Link to comment
Share on other sites

  • Employee
  • Solution

So yes H4B PIN setup requires MFA.

In the old federation settings that happened if you set SupportsMfa to $True, so it would try to do MFA with the IDP instead and redirect until it receives a custom attribute with authnmethodsreferences set to http://schemas.microsoft.com/claims/multipleauthn

With the newer Graph based ones that can happen if FederatedIdpMfaBehavior is set to enforceMfaByFederatedIdp, it should usually be set to either rejectMfaByFederatedIdp or acceptIfMfaDoneByFederatedIdp.

Check the current value through powershell with the Graph module using

Get-MgDomainFederationConfiguration -DomainId 'yourdomain.com'

 

Edited by Sascha Warno
Link to comment
Share on other sites

On 9/7/2024 at 9:04 AM, Sascha Warno said:

So yes H4B PIN setup requires MFA.

In the old federation settings that happened if you set SupportsMfa to $True, so it would try to do MFA with the IDP instead and redirect until it receives a custom attribute with authnmethodsreferences set to http://schemas.microsoft.com/claims/multipleauthn

With the newer Graph based ones that can happen if FederatedIdpMfaBehavior is set to enforceMfaByFederatedIdp, it should usually be set to either rejectMfaByFederatedIdp or acceptIfMfaDoneByFederatedIdp.

Check the current value through powershell with the Graph module using

Get-MgDomainFederationConfiguration -DomainId 'yourdomain.com'

 

Thank you very much for your response. I found that we had Authnmethodsreferences instead of authnmethodsreferences (case sensitive). By changing it to authnmethodsreferences, the auth loop stopped and we can see in the Entra ID log for this event "MFA requirement satisfied by claim provided by external provider".

Cheers!

  • Celebrate 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...