Versions Compared

Old Version 2

changes.mady.by.user Mikkel Knop

Saved on

compared with

New Version Current

changes.mady.by.user Simon Toftedal Hansen - STH

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

\uD83C\uDF31 Solution 1 - AzureAD

Trouble validating with Azure AD Groups.

  1. Ensure you are using the correct AOD configuration, set up with the correct Azure groups, and validate with the correct Azure user.

  2. Make sure that the CapaOne Azure AD Integration is configured correctly. CapaOne Azure AD Integration | How to

  3. Inspect logfile AdminOnDemand.log (The log file can be found in C:\ProgramData\CapaSystems\COA\Logs)

    1. Validation result…. (AdminOnDemand.log )

Code Block
languagepowershell
AzureAD\Simon is denied permission to elevate a session on client8 via the 'STH - Azure
Test' configuration. Removing the 'Start' button: 
- No local security group has been configured
- AzureAD\Simon is NOT member of the AD group 'domain users'
- sth@capa.one is NOT member of the Azure group 'STH_Azure'
- sth@capa.one is NOT member of the Azure group 'Test af æøå og mellemrum'

Run the commands below in a regular PowerShell.

  1. Display current/available Azure contexts. Use this to check the contexts of the users on the device. If no or the wrong user context is shown, this might cause a problem.

Code Block
languagepowershell
Get-AzContext -ListAvailable

  1. Clear the current context. If the wrong user is listed, this will clear it.

Code Block
languagepowershell
Clear-AzContext -Scope CurrentUser -Force;

  1. Find the Current User.

Code Block
languagepowershell
whoami /upn

  1. Display the device state. If the device is not AzureAdJoined/EnterpriseJoined or WorkplaceJoined, it might not prompt the user for Azure login.

Code Block
languagepowershell
dsregcmd /status

...

  1. Check Work or School user. Open Windows settings, click Accounts on the left and then click on Access Work of School. If no user is shown, then no user is connected.

...

  1. Use the “Sign-in Diagnostic“ tool on your Azure portal to see user sign-in events. This might give a hint as to why AOD Azure validation is falling.

    1. Log in to the Azure portal and select Microsoft Entra ID

    2. Click on Diagnose and solve problems in the left menu

    3. Click on the Troubleshoot text in the Sign-in Diagnostic box

    4. Click on All Sign-In Events, now search for the user who has trouble with AOD, and look at the sign-in events

Validating with Azure Groups when offline

Here are three scenarios you could run into where you will use Offline Validating.

  1. Azure login is down

    1. No Microsoft login will be shown; instead, it will use the WHOAMI /UPN (blue star) to determine the user it will use.

    2. It will still be looking up AzureGroups from CapaOne.

  2. CapaOne is down

    1. It will get the UPN when you log in via the Microsoft login window.

    2. It will then use the cache file to match the UPN.

  3. Azure login and CapaOne is down (offline)

    1. Again, no Microsoft login will be shown. Instead, it will use WHOAMI /UPN (blue star) to determine the user it will use.

    2. Again, it will then use the cache file to match the UPN.

This would be a potential failure if the Azure UPN and the Windows UPN is different. We would either request groups for the wrong UPN or lookup the wrong cache file.

\uD83C\uDF31 Solution 2 - Missing Privileges

...