Join Log in
Score:0
Joseph Willcoxson avatar Server

Cannot login with email after joining Azure AD

gb flag
Joseph Willcoxson

Let's say my company has an Azure AD "domainx.com".

I used Window 11 Pro and joined my laptop (device not account) to domainx.com. I entered my AAD account information and the machine joined up just fine. Everything worked until I logged out and tried to login with my email address. Every attempt to login says Invalid username or password. The creds are the exact same ones I used to login to join the machine to AAD. I try using [email protected] or firsname.lastname and either way it reports invalid creds.

I went digging in events at Application\Microsoft\Windows\AAD\Operational and found some info and error events like:

Info...
DoGetToken Diagnostic Event:
Result: 0xC004844C
User identity: firstname.lastname (not literally, no @domainx.com)
Credential Type: 1
Correlation ID: SOME GUID (changes between login attempts)

Error...
Login failure. Status 0xC004844C
Correlation ID: SOME GUID (changes between login attempts)

What settings should I be looking at to figure out why I can't login with the AAD account?

If I login with the local admin account I used to join the machine to ADD, and run dsregcmd.exe /status to get some status

+---------------------------------------------+
| Device State                                                         |
+---------------------------------------------+

             AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : NO
               Device Name : DESKTOP-BLAHBLAH


+---------------------------------------------+
| Tenant Details                                                       |
+---------------------------------------------+

                TenantName : domainx.com
                  TenantId : SOME-GUID
               AuthCodeUrl : https://login.microsoftonline.com/SOME-GUID/oauth2/authorize
            AccessTokenUrl : https://login.microsoftonline.com/SOME-GUID/oauth2/token
                    MdmUrl :
                 MdmTouUrl :
          MdmComplianceUrl :
               SettingsUrl :
            JoinSrvVersion : 2.0
                JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
                 JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
             KeySrvVersion : 1.0
                 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
                  KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/SOME-GUID/
             WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
    DeviceManagementSrvVer : 1.0
    DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/SOME-GUID/
     DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

+---------------------------------------------+
| User State                                                           |
+---------------------------------------------+

                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : NO

+---------------------------------------------+
| SSO State                                                            |
+---------------------------------------------+

                AzureAdPrt : NO
       AzureAdPrtAuthority : 
     AcquirePrtDiagnostics : PRESENT
      Previous Prt Attempt : 2022-01-27 22:26:39.919 UTC
            Attempt Status : 0xc004844c
             User Identity : firstname.lastname (not literally)
           Credential Type : Password
            Correlation ID : SOME-OTHER-GUID
             EnterprisePrt : NO
    EnterprisePrtAuthority : 

+---------------------------------------------+
| Diagnostic Data                                                      |
+---------------------------------------------+

        AadRecoveryEnabled : NO
    Executing Account Name : DESKTOP-BLAHBLAH\username
               KeySignTest : PASSED
127
0 + 0
DarkMoon avatar
in flag
DarkMoon
Three things to check: can you log in with an "AzureAD\" in front of your UPN, like "AzureAD\[email protected]"? Does anything appear in the Azure AD Sign-In logs, likely with Application "Windows Sign In"? Does the device appear in Azure AD --> Devices?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.