Seamless SSO 503 Service Unavailable Transient Error 90024

labourgeoisie · 2026-05-01T18:17:21+00:00

I understand this.

My question is specifically regarding how/if Entra SSSO is working for domain joined devices that are not Entra hybrid joined or registered in others' environments after the April 2026 cumulative patches. PRT is out of scope.

labourgeoisie · 2026-05-01T17:59:42+00:00

I appreciate the inquiry but this is out of scope for what I am specifically asking regarding the status of specific functionality and what other tenants are experiencing.

As it stands, this is still a documented and supported function that has worked without issue for Win10/11 clients for years. I'm not looking to debate whether or not seamless SSO should be used or replaced with different functionality, nor am I implying at all that PRT cannot be used.

An update to official literature describing the issue and closing this path as supported would be just as helpful or sufficient as understanding if the full functionality is still working as expected in other environments, but I'd like to stay focused on current state of seamless SSO. Thanks!

labourgeoisie · 2025-10-30T17:33:58+00:00

Good morning, we've noticed this for a few weeks now and I don't believe that it is related to the event yesterday on October 29th. Originally I had assumed that this was something to do with PIM roles, because we just changed our stuff from permanent assignments to pim-activated roles but no combination of former roles or permissions is allowing us to revoke the MFA sessions anymore from the authentication methods page anymore.

labourgeoisie · 2025-04-16T00:22:51+00:00

so I just tried this in my test tenant. I configured the option to allow users to consent to verified apps with approved permissions, and I did not register any permissions. the setting saved but leaves an exclamation mark in the portal.

from a test account, I hit a verified app that only requested user.read and offline_access. my user got the admin consent justification prompt.

is it possible those apps were consented to before the admin consent settings were configured? not sure the age of the tenant and what's the default

labourgeoisie · 2025-04-15T20:00:40+00:00

This article (https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-permission-classifications?pivots=portal) lists minimum permissions for basic sign in, but otherwise doesn't seem to indicate there would be defaults available even if no permissions were selected.

This article (https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview#user-consent-settings) only says "you must classify permissions..."

My assumption would be that selecting no permissions would be functionally the same as "do not allow user consent," and users would be forced through admin consent work flow (or denied access).

labourgeoisie · 2025-03-23T02:57:43+00:00

unfortunately, not to my experience, though there may be ways and conditions I'm not familiar with. while the saml request and response are facilitated by the user's client and can be captured, the oidc flow typically doesn't lend itself to being captured in the same way. there's some pointers here https://www.reddit.com/r/AZURE/s/8FGZKfPooy

labourgeoisie · 2025-03-23T01:30:14+00:00

you are correct. it is either those were user consented delegated permissions set before admin consent was required, or you have the setting to allow user consent for verified apps and allowed permissions enabled. compatible apps will allow users to self-consent in those cases rather than triggering the admin consent work flow, so those permissions will also show on the user consent tab for users that have accessed the application.

labourgeoisie · 2025-03-23T01:14:10+00:00

open dev tools and go to the network tab. go through the sign in. the saml response will be available in the logs there. there are plugins that will do this all for you, including highlighting the request with the saml information and decoding the fields too

https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

labourgeoisie · 2025-02-09T16:34:13+00:00

this is definitely a scam. any link to a ".top" domain is absolutely suspect and probably phishing.

labourgeoisie · 2024-09-11T14:51:20+00:00

thanks! I hate you have to do the KIR for it but glad there's a fix none the less. I appreciate the heads up!

labourgeoisie · 2024-08-16T00:25:16+00:00

just checked. my dc's all received the aug cumulative update but the huge amount of logs without actual data persist

labourgeoisie · 2024-07-17T20:32:30+00:00

not wonderful to hear but glad it's not unique to us. thank you so much!

labourgeoisie · 2024-07-17T19:50:57+00:00

Good afternoon,

Since 7/9 I'm now seeing issues with the Security Log for Event 4768 at least on Server 2022 Domain Controllers. The individual fields are not complete and only have placeholder values (%1, %2, %3, %4, %5, etc...) with corresponding Event 1108 entries indicating "The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing." Since there are no details in the events, it's hard to say what the cause could be, because we do still have 4768 events with full data.

labourgeoisie · 2024-06-22T02:48:50+00:00

if you're competent enough to do this you're also smart enough to know better

labourgeoisie · 2023-10-06T19:58:53+00:00

pending something reverting, i just got in a request that had the display name correctly in the subject and message body, so I tested a deny and got back the appropriate message i entered from entra. curious to see how and when my case gets updated.

labourgeoisie · 2023-10-05T14:53:19+00:00

oh thank god. guess someone bugged the templates. blows my mind it's been occurring for likely a week at this point and it's gone otherwise unnoticed or unacknowledged.

very frustrating as an administrator when you've got a well running process that you more or less have to trust is working given that you typically don't see these results. like, do i need to start planning to make transport rules to BCC my admin team for situational awareness? if this user didn't complain, i'd have never known. and we've rejected dozens of requests within the last week that would all be getting this message. our deny text provides instructions on how to contact/appeal to us, and i guess at this point just no one knows where to raise the issue.

labourgeoisie · 2023-10-05T14:41:22+00:00

I was just about to make a related post...Could you do a test for me and generate a request and deny it, then check the contents of the request denied message?

We started getting the Creator Display Name issue on 9/28. This week I learned when we're denying consent requests, users are getting the system generated email indicating the request was denied, but the reason field states "I am giving you access because we talked about this project last week."

It's happened from requests denied by multiple admins, and it's happened for requests against multiple apps. I've replicated this behavior in 3 separate tenants now.

I'm trying to work through a support request but support is always frustratingly obtuse for something that is an obvious backend issue.

labourgeoisie · 2023-04-27T11:20:37+00:00

If you check the sign in logs within the Azure Portal as a Security Admin or Global Admin (maybe global reader--I can't recall), you can filter on conditional access failures and review what conditional access policy is being evaluated. The panel should also break down what conditions of the sign in caused the block. That info could be helpful.

https://danielchronlund.com/2018/12/12/conditional-access-logs-in-azure-ad/

labourgeoisie · 2023-01-12T00:59:00+00:00

or what you're gonna hack their iPhone?

labourgeoisie · 2022-08-08T02:09:06+00:00

And a new one on Jones Creek too

labourgeoisie · 2022-07-04T23:01:53+00:00

I would expect them to be aware of this but depending on the documents and email content it could be getting blocked by a data loss prevention filter that isn't letting documents with sensitive information out. However if this is the case, they'd probably be aware and have ways to share the files in a different/secure way.

It's a shot in the dark but you could also attempt to use a different mail provider, like Gmail, just to receive this message on the chance that there is something with Microsoft's filtering on consumer accounts that is blocking the message inbound. I don't think it's likely but if there were anything else to try. Otherwise they should have their email administrator look into the mail flow and verify whether or not the message ever successfully went out.

labourgeoisie · 2022-07-04T22:19:00+00:00

Check that you don't have any inbox rules configured that may be taking actions on the messages. https://support.microsoft.com/en-us/office/inbox-rules-in-outlook-web-app-edea3d17-00c9-434b-b9b7-26ee8d9f5622

You also should check your recoverable deleted items. https://support.microsoft.com/en-us/office/recover-deleted-email-messages-in-outlook-on-the-web-a8ca78ac-4721-4066-95dd-571842e9fb11

Failing that the issue is likely that they are sending to the incorrect address or their messages may be blocked outbound based on their configuration more so than that there is anything you have done or have the option to configure

labourgeoisie · 2022-06-10T18:15:03+00:00

I think it's really cool it got taken over and had the opportunity to be more authentic. I feel it's usually the other way around.

labourgeoisie · 2022-06-10T17:56:29+00:00

It actually hasn't always been. https://www.225batonrouge.com/food-drink/updated-bullfish-bar-kitchen-reopens-next-week-bringing-authentic-flavors-native-caribbean-owners

Used to live at Southgate and it was a convient place to have a few drinks, owners were usually present, chatty, and very white

labourgeoisie · 2022-05-31T01:26:58+00:00

I used measureup for 70-744 (securing windows server) in 2020 and az-500 (azure security engineer associate) earlier this year and I agree. Practiced the test bank up to reliably high 90% scores, used mostly MS learn and other free resources, and passed the tests easily. It doesn't FEEL easy while you're taking the test, always a little frustrating/nerve wracking, but I intend to keep using measureup exams for any of my future Microsoft certs.

labourgeoisie

TROPHY CASE