Recent Searches

    Popular Articles

    Articles
    View all
      Topics
      View all
        Tickets
        View all
          no results

          Sorry! nothing found for

          Passport Troubleshooting with Microsoft Azure

          By Corey Willis

          Learn common troubleshooting techniques to use when experiencing issues with Passport & Microsoft Azure

          Kandji Passport Diagnostics

          If a user can't log in at the Passport login window, you can bring up Kandji Passport Diagnostics by pressing Command-Shift-K-L on the keyboard. You will see helpful information, such as error messages from your IdP.

          Network Connectivity

          Passport requires network connectivity to check user credentials against the IdP. When customizing the login window in Passport, show the network manager so users can join a Wi-Fi network as necessary. The network manager respects AirPort security settings in macOS.

          Common Azure errors

          To look up any Azure error codes, which typically start with AADSTS, you can use this link.

          AADSTS50076

          • Azure Message: Due to a configuration change made by your administrator or because you moved to a new location, you must use multi-factor authentication to access '{resource}' - User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, and requested by client, among others.
          • Remediation: Make sure to review the Multi-factor Authentication (MFA) Considerations section in this support article to ensure that Multi-factor Authentication is turned off for the Passport enterprise app in your Azure environment.

          AADSTS50020

          • Azure Message: User account <user principal name> from identity provider <your Azure Active Directory Tenant ID> does not exist in tenant <your tenant name> and cannot access the application <your Passport Application (client) ID> in that tenant. The account needs to be added as an external user in the tenant first.
          • Remediation: In Azure Active Directory > Users confirm that the user exists.

          AADSTS50034

          • Azure Message: The user account <user principal name without the @sign and domain> does not exist in <your tenant name> directory.
          • Remediation: In order to use Passport with MFA support, a user in Microsoft Azure Active Directory must have an Email attribute. If the user does not have an Email attribute, although the user will be able to authenticate with MFA in the web view for Microsoft Azure, the user will not be able to successfully authenticate at the "Enter your Microsoft Azure password" verification screen. In Azure Active Directory > Users, select the user, click Edit properties, then in the Email field, enter the user’s email address, and click Save. You must add a value, even if this is not an address that accepts email. It’s common to just use the same value as the user’s User principal name.

          AADSTS50126

          • Azure Message: InvalidUserNameOrPassword - Error validating credentials due to invalid username or password. The user didn't enter the right credentials.  It's expected to see some number of these errors in your logs due to users making mistakes.
          • Remediation: This is a very generic Azure error message. In the context of Passport, there have been a few scenarios where this error has been seen.
            • It is possible that the username or password is, in fact, incorrect.
            • It is possible that Azure is federated with AD FS or another Identity Provider. This will cause the authentication flow to result in an error being sent to Passport. See the Authentication Flow in a Federated Environment section of this article for more information.

          AADSTS700025

          • Azure Message: Client is public so neither ‘client_assertion’ nor ‘client_secret’ should be presented.
          • Remediation: In Azure > App registrations > [your Passport app] > Authentication > Platform configurations > Mobile and desktop applications, ensure that the Redirect URIs section has the checkbox selected for https://login.microsoftonline.com/common/oauth2/nativeclient. Navigate to Certificates & secrets and remove the Client secret. In Kandji, confirm that in your Passport library item, the Client secret (optional) field is empty.

          AADSTS7000215

          • Azure Message: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value.
          • Remediation: In Azure > App registrations > [your Passport app] > Authentication > Platform configurations > Mobile and desktop applications, ensure that the Redirect URIs section has the checkbox selected for https://login.microsoftonline.com/common/oauth2/nativeclient. Navigate to Certificates & secrets and remove the Client secret. In Kandji, confirm that in your Passport library item, the Client secret (optional) field is empty.

          AADSTS50079

          • Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '{identifier}'.
          • Remediation: If you are using Mac Login for Passport Authentication, it’s possible that the user has legacy per-user MFA enabled. Either a managed user needs to register security info to complete multi-factor authentication, or a federated user needs to get the multi-factor claim from the federated identity provider. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others.

          An error occurred fetching user info: No key was found matching "giveName"

          • Remediation: In Azure > Azure Active Directory > Users > Verify that the user that is logging in has the First name property populated
          Preview
          0 of 0