Passport Troubleshooting with Microsoft Entra ID (formerly Azure AD)

By Nick Bickhart

Learn common troubleshooting techniques to use when experiencing issues with Passport & Microsoft Entra ID

Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)
When logging in at the Passport Login Window, the full email address should always be used in the username field to ensure the authentication session is connected to the IdP and not local authentication. To avoid confusion with using email addresses at the FileVault Login Window, ensure that the Managed user visibility box is unchecked on the Login Window Library Item. You can read more about this in our Passport Compatibility article.

Kandji Passport Diagnostics

If a user can't log in at the Passport login window, you can bring up Kandji Passport Diagnostics by pressing Command-Shift-K-L on the keyboard. You will see helpful information, such as error messages from your IdP.

Network Connectivity

Passport requires network connectivity to check user credentials against the IdP. When customizing the login window in Passport, show the network manager so users can join a Wi-Fi network as necessary. The network manager respects AirPort security settings in macOS.

In order to contact the IdP, Passport needs network connectivity. It’s common for people to use a portable Mac in various locations that provide a Wi-Fi network that the Mac has not yet joined. Passport displays a Wi-Fi icon in the upper-right corner of the screen. You can click the Wi-Fi icon to join a Wi-Fi network that accepts a password to join the network. At this time, Passport does not support networks that utilize captive portal, click-through authentication, or enterprise networks that require a username and password for 802.1x authentication.

Common Microsoft Entra ID errors

To look up any Microsoft Entra ID error codes, which typically start with AADSTS, you can use this link.

AADSTS50076

  • Microsoft Entra ID Message: Due to a configuration change made by your administrator or because you moved to a new location, you must use multi-factor authentication to access '{resource}' - User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, and requested by client, among others.
  • Remediation: Make sure to review the Multi-factor Authentication (MFA) Considerations section in this support article to ensure that Multi-factor Authentication is turned off for the Passport enterprise app in your Microsoft Entra ID environment.

AADSTS50020

  • Microsoft Entra ID Message: User account <user principal name> from identity provider <your Microsoft Entra ID Active Directory Tenant ID> does not exist in tenant <your tenant name> and cannot access the application <your Passport Application (client) ID> in that tenant. The account needs to be added as an external user in the tenant first.
  • Remediation: In the Microsoft Entra admin center > Users > All users > confirm that the user exists.

AADSTS50034

  • Microsoft Entra ID Message: The user account <user principal name without the @sign and domain> does not exist in <your tenant name> directory.
  • Remediation: In order to use Passport with MFA support, a user in Microsoft Entra ID must have an Email attribute. If the user does not have an Email attribute, although the user will be able to authenticate with MFA in the web view for Microsoft Entra ID, the user will not be able to successfully authenticate at the "Enter your Microsoft Entra ID password" verification screen. In Entra ID > Users > All users, select the user, click Edit properties, then in the Email field, enter the user’s email address, and click Save. You must add a value, even if this is not an address that accepts email. It’s common to just use the same value as the user’s User principal name.

AADSTS50126

  • Microsoft Entra ID Message: InvalidUserNameOrPassword - Error validating credentials due to invalid username or password. The user didn't enter the right credentials.  It's expected to see some number of these errors in your logs due to users making mistakes.
  • Remediation: This is a very generic Microsoft Entra ID error message. In the context of Passport, there have been a few scenarios where this error has been seen.
    • It is possible that the username or password is, in fact, incorrect.
    • It is possible that Microsoft Entra ID is federated with AD FS or another Identity Provider. This will cause the authentication flow to result in an error being sent to Passport. See the Authentication Flow in a Federated Environment section of this article for more information.

AADSTS700025

  • Microsoft Entra ID Message: Client is public so neither ‘client_assertion’ nor ‘client_secret’ should be presented.
  • Remediation: In the Entra admin center > Applications > App registrations > All applications > [your Passport app] > Authentication > Platform configurations > Mobile and desktop applications, ensure that the Redirect URIs section has the checkbox selected for https://login.microsoftonline.com/common/oauth2/nativeclient. Navigate to Certificates & secrets and remove the Client secret. In Kandji, confirm that in your Passport library item, the Client secret (optional) field is empty.

AADSTS7000215

  • Microsoft Entra ID Message: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value.
  • Remediation: In the Entra admin center > Applications > App registrations > [your Passport app] > Authentication > Platform configurations > Mobile and desktop applications, ensure that the Redirect URIs section has the checkbox selected for https://login.microsoftonline.com/common/oauth2/nativeclient. Navigate to Certificates & secrets and remove the Client secret. In Kandji, confirm that in your Passport library item, the Client secret (optional) field is empty.

AADSTS50079

  • Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '{identifier}'.
  • Remediation: If you are using Mac Login for Passport Authentication, it’s possible that the user has legacy per-user MFA enabled. Either a managed user needs to register security info to complete multi-factor authentication, or a federated user needs to get the multi-factor claim from the federated identity provider. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others.

Ticket Decode failed

Ticket decode failed

Failed to login with possible error: Unknown

This is typically an issue with the optional client secret. For troubleshooting purposes, completely remove the optional client secret from the Passport library item, and make sure the device checks in. After it has checked in, log out of the local user and log back in with Passport. This error could also be related to a network condition. To rule that out, try connecting to a mobile hotspot as part of troubleshooting to see if the error is still present.

An error occurred fetching user info: No key was found matching "givenName"

  • Remediation: In the Microsoft Entra admin center > Identifity > Users > Verify that the user that is logging in has the First name property populated