spg123 Posted September 6 Share Posted September 6 (edited) Hello, We’ve been experiencing an issue with Autopilot for the past month or so. Initially, authentication works fine, but when it comes to creating the Windows Hello for Business PIN, it redirects to our On-Premise Workspace ONE Access instance instead of the Microsoft side, where we used Microsoft Authenticator. I’m not sure why this change occurred, but Workspace ONE Access gets stuck in an authentication loop during PIN creation. After clicking “Skip for Now” following the error, I can still access the Desktop and authenticate to Intelligent Hub, Microsoft 365 via Edge, Office apps, etc. However, attempting to create the PIN through Settings > Accounts > Sign-in Options > PIN (Windows Hello) results in the same error. From an existing enrolled Windows device, if I click Settings > Accounts > PIN (Windows Hello) > “I forgot my PIN,” it does the same thing. Does anyone have any idea what could cause the Windows Hello for Business PIN to redirect to our Workspace ONE Access On-Prem (which is federated with M365)? I actually wanted this setup, and if it could work, that would be perfect. We have always had SSO for Microsoft 365 set up this way but it never did it for Windows Hello for Business PIN creation. Thanks! Edited September 6 by spg123 Added more info about setup Quote Link to comment Share on other sites More sharing options...
Employee Solution Sascha Warno Posted September 7 Employee Solution Share Posted September 7 (edited) So yes H4B PIN setup requires MFA. In the old federation settings that happened if you set SupportsMfa to $True, so it would try to do MFA with the IDP instead and redirect until it receives a custom attribute with authnmethodsreferences set to http://schemas.microsoft.com/claims/multipleauthn With the newer Graph based ones that can happen if FederatedIdpMfaBehavior is set to enforceMfaByFederatedIdp, it should usually be set to either rejectMfaByFederatedIdp or acceptIfMfaDoneByFederatedIdp. Check the current value through powershell with the Graph module using Get-MgDomainFederationConfiguration -DomainId 'yourdomain.com' Edited September 7 by Sascha Warno Quote Link to comment Share on other sites More sharing options...
spg123 Posted September 9 Author Share Posted September 9 On 9/7/2024 at 9:04 AM, Sascha Warno said: So yes H4B PIN setup requires MFA. In the old federation settings that happened if you set SupportsMfa to $True, so it would try to do MFA with the IDP instead and redirect until it receives a custom attribute with authnmethodsreferences set to http://schemas.microsoft.com/claims/multipleauthn With the newer Graph based ones that can happen if FederatedIdpMfaBehavior is set to enforceMfaByFederatedIdp, it should usually be set to either rejectMfaByFederatedIdp or acceptIfMfaDoneByFederatedIdp. Check the current value through powershell with the Graph module using Get-MgDomainFederationConfiguration -DomainId 'yourdomain.com' Thank you very much for your response. I found that we had Authnmethodsreferences instead of authnmethodsreferences (case sensitive). By changing it to authnmethodsreferences, the auth loop stopped and we can see in the Entra ID log for this event "MFA requirement satisfied by claim provided by external provider". Cheers! 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.