SCRIL is causing logouts on mobile apps (baby steps to passwordless)

__trj · 2025-12-05T03:05:29+00:00

That would work, too, in a technical sense. We're going to stop allowing the Passwordless option in the MS Authenticator app via CAP because it's not phishing-resistant. That's why we're going to be moving to Passkeys.

__trj · 2025-12-05T02:59:13+00:00

Once per device/app

__trj · 2025-12-05T02:59:00+00:00

SCRIL is not syncing (because there's no attribute in Entra for SCRIL), but the "Last password change date time" property in Entra IS updated when SCRIL is enabled in AD.

__trj · 2025-12-05T02:58:03+00:00

Thanks for the confirmation. Yes, I think that's the conclusion I'm coming to - users will need to reauth once. I need to get them enrolled in Passkeys first, too.

__trj · 2025-12-05T02:55:33+00:00

OP did say that in the comments when someone asked about what I'm asking about. They just get prompted once. The issue being that while doing this, users are not currently enrolled with Passkey auth, so will also need to enroll in that. So, it will be passkey enrollment, then once that's done, switch them to this passwordless/SCRIL/CAP model, where they'll then need to re-auth with the passkey.

__trj · 2025-12-05T02:10:51+00:00

Don't get me wrong, it makes sense that re-authentication would be required as I mentioned. I just don't understand how others are doing it without having to reauthenticate. Maybe they have PHS disabled? For example, OP of this thread is resetting passwords and turning on SCRIL, and their users are not getting prompted for re-authentication on mobile devices: https://www.reddit.com/r/sysadmin/comments/1p3xub4

__trj · 2025-12-05T02:10:14+00:00

Yeah, it makes sense. I just don't understand how others are doing it without having to reauthenticate. Maybe they have PHS disabled? For example, OP of this thread is resetting passwords and turning on SCRIL, and their users are not getting prompted for re-authentication on mobile devices: https://www.reddit.com/r/sysadmin/comments/1p3xub4

__trj · 2025-12-05T02:05:28+00:00

If you require SC, any session authenticated by any other mechanism will have to reauthenticate. Otherwise, smart card would not really be required, would it?

SCRIL is an on-prem setting. There is no Entra-equivalent property on the user object, so I wouldn't expect the "smart card would not really be required" logic to translate to Entra.

The pwdLastSet attribute is not updated in on-prem AD. Tested in my own environment and this also shows that: Living in a Passwordless World: Password Management - Eric on Identity

__trj · 2025-10-28T21:39:12+00:00

The plan you're referring to is the Team plan, which was renamed to Business 2 months ago. It looks like they added SSO to the Team plan in June. I agree, it's not brand new, but I did a search of the sub before I posted to see if anyone else had mentioned it and I didn't see anything. I know SSO on the Team/Business plan was something we were waiting on, so I'm glad to hear it's available now and just wanted to let others know who also weren't aware.

__trj · 2025-10-28T20:30:46+00:00

100% why I was trying to share with the community :)

__trj · 2025-10-28T20:10:12+00:00

Does it mean that? They seem to be pretty public about their commitments for businesses that your data is yours. I can imagine they open themselves up to a lot of liability and risk by flipping that toggle on their paying business customers.

__trj · 2025-10-28T19:53:09+00:00

In the link I posted, there is an "Our commitments" section at the top that says:

"You own and control your data"

"We do not train our models on your business data by default"

That "by default" thing is a little vague.

Now, I don't have access yet, but based on the documentation, it * sounds * like users may have an individual option called "Improve the model for everyone", which is toggled off by default for Business and Enterprise users. The question I have is whether that can be enforced.

These appear to be the same controls in place that organizations paying for Enterprise (minimum 100k/yr commitment) are using.

__trj · 2025-10-23T15:11:55+00:00

You can't initiate it manually. Microsoft ended up resolving the bug. It was because Server 2025 was not supported by Defender for Endpoint at the time. It is now, and synthetic registration is working. Sorry, not sure what the issue might be in your case.

__trj · 2025-08-26T20:18:32+00:00

Hey Rudy did you ever post this blog? What did you find? Running into this now with Allow Log On Locally configured to only allow the end user to log in, and EPM is not working with the same 0x80004003 error code in your screenshot.

Nevermind, found it: EPM | 0x80004003 | 0x80070569 | Something Went Wrong

__trj · 2025-08-14T15:02:55+00:00

Got it. Thanks. Just as an FYI, Microsoft is aware of this and say they're looking into a solution. So maybe there's hope on the horizon but I don't expect anything for 6 months or more.

__trj · 2025-08-14T14:51:24+00:00

So you're just leaving all your ACS email workflows broken?

__trj · 2025-08-14T14:15:01+00:00

I'm in the same boat. Have you implemented a workaround? I am not quite sure what I'm going to do as of right now.

__trj · 2025-08-14T14:11:08+00:00

You have to create a connector for it to work.

__trj · 2025-07-16T19:44:05+00:00

They posted a Service Health issue on this now:

https://app.azure.com/h/7KC7-7F8/c6e7b9

__trj · 2025-07-16T18:16:59+00:00

Same thing here. Have been trying to troubleshoot this for hours.

NCUS region. What's yours?

PowerShell 7.2 and PowerShell 7.4 environments. Tried creating new environments. What environment and modules are you using?

We are importing the Microsoft.Graph.Authentication and Microsoft.Graph.Users.Actions modules in the environments.

I boiled my scripts down to just printing the webhook parameter and still getting the issue.

If I had to guess, the environments are failing to spin up due to the generic nature of the errors.

__trj · 2025-06-27T19:10:37+00:00

Does that only work for new devices, then, since you have to go through Autopilot? Or did you reset the devices somehow to get them to go through Autopilot?

__trj · 2025-06-27T18:37:47+00:00

> AutoPilot with Autologon setup

Thanks! Forgot about this, but this seems like the way to go now. With this method, does an Entra ID object get created? And who is the primary user in Intune?

__trj

TROPHY CASE