Troubleshooting CapaOne AdminOnDemand

Problem

Solution 1 - AzureAD

Trouble validating with Azure AD Groups.

Ensure you are using the correct AOD configuration, set up with the correct Azure groups, and validate with the correct Azure user.
Make sure that the CapaOne Azure AD Integration is configured correctly. CapaOne Azure AD Integration | How to
Inspect logfile AdminOnDemand.log (The log file can be found in C:\ProgramData\CapaSystems\COA\Logs)
1. Validation result…. (AdminOnDemand.log )

AzureAD\Simon is denied permission to elevate a session on client8 via the 'STH - Azure
Test' configuration. Removing the 'Start' button: 
- No local security group has been configured
- AzureAD\Simon is NOT member of the AD group 'domain users'
- sth@capa.one is NOT member of the Azure group 'STH_Azure'
- sth@capa.one is NOT member of the Azure group 'Test af æøå og mellemrum'

Run the commands below in a regular PowerShell.

Display current/available Azure contexts. Use this to check the contexts of the users on the device. If no or the wrong user context is shown, this might cause a problem.

Get-AzContext -ListAvailable

Clear the current context. If the wrong user is listed, this will clear it.

Clear-AzContext -Scope CurrentUser -Force;

Find the Current User.

Display the device state. If the device is not AzureAdJoined/EnterpriseJoined or WorkplaceJoined, it might not prompt the user for Azure login.

Device joined state

Check Work or School user. Open Windows settings, click Accounts on the left and then click on Access Work of School. If no user is shown, then no user is connected.

Type settings in the Windows search bar

Use the “Sign-in Diagnostic“ tool on your Azure portal to see user sign-in events. This might give a hint as to why AOD Azure validation is falling.
1. Log in to the Azure portal and select Microsoft Entra ID
2. Click on Diagnose and solve problems in the left menu
3. Click on the Troubleshoot text in the Sign-in Diagnostic box
4. Click on All Sign-In Events, now search for the user who has trouble with AOD, and look at the sign-in events

Validating with Azure Groups when offline

Here are three scenarios you could run into where you will use Offline Validating.

Azure login is down
1. No Microsoft login will be shown; instead, it will use the WHOAMI /UPN to determine the user it will use.
2. It will still be looking up AzureGroups from CapaOne.
CapaOne is down
1. It will get the UPN when you log in via the Microsoft login window.
2. It will then use the cache file to match the UPN.
Azure login and CapaOne is down (offline)
1. Again, no Microsoft login will be shown. Instead, it will use WHOAMI /UPN to determine the user it will use.
2. Again, it will then use the cache file to match the UPN.

This would be a potential failure if the Azure UPN and the Windows UPN is different. We would either request groups for the wrong UPN or lookup the wrong cache file.

Solution 2 - Missing Privileges

If you have created a process evaluation rule and linked the configuration to the endpoint, but still get errors.

AOD Configuration Validation Steps

Use a Validation Method:
- Navigate to the Validation section within the AOD Configuration.
- Select and utilize one of the available validation methods.
Verify Endpoint Configuration:
- Ensure that the Endpoint has a Configuration assigned.
- Confirm that the assigned configuration is marked with a green checkmark.
Instruct User to Refresh Session:
- If the configuration is assigned and shows a green checkmark, ask the user to:
  - Log out of their account.
  - Log back in to apply the changes.

Highlight important information in a panel like this one. To edit this panel's color or style, select one of the options in the menu.

Support Knowledge Base Public