{"id":3302,"date":"2019-10-08T14:45:25","date_gmt":"2019-10-08T13:45:25","guid":{"rendered":"https:\/\/www.lieben.nu\/liebensraum\/?p=3302"},"modified":"2019-10-08T14:45:25","modified_gmt":"2019-10-08T13:45:25","slug":"hidden-exceptions-to-conditional-access-mfa","status":"publish","type":"post","link":"https:\/\/lieben.nu\/liebensraum\/2019\/10\/hidden-exceptions-to-conditional-access-mfa\/","title":{"rendered":"hidden exceptions to conditional access MFA"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong>EDIT: <\/strong>this no longer works and results in an UnSupportedFirstyPartyApplication or ServicePrincipalNotFound error.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you set an Intune conditional access policy to target ALL applications in Azure AD with MFA, a new Windows 10 device will not be able to fully install, and will never become usable for the user. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is because your client needs to connect to Azure AD endpoints such as the Graph API ( 00000002-0000-0000-c000-000000000000 ) and the Store for Business (45a330b1-b1ec-4cc1-9161-9f03992aa49f). <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As these applications cannot be excluded from a conditional access policy through the GUI, you&#8217;ll have to use Fiddler:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Configure your policy, but don&#8217;t click &#8216;save&#8217;<\/li>\n\n\n\n<li>Start Fiddler, enable SSL decrytion<\/li>\n\n\n\n<li>Start monitoring in fiddler<\/li>\n\n\n\n<li>Click &#8216;save&#8217; in the conditional acccess policy<\/li>\n\n\n\n<li>Stop monitoring in Fiddler<\/li>\n\n\n\n<li>Look for the &#8216;put&#8217; request, and copy it to notepad or directly to the &#8216;raw&#8217; tab in the fiddler composer section<\/li>\n\n\n\n<li>Modify the app id&#8217;s in the request, e..g. : &#8220;servicePrincipals&#8221;:{&#8220;allServicePrincipals&#8221;:1,&#8221;included&#8221;:{&#8220;ids&#8221;:[]},&#8221;excluded&#8221;:{&#8220;ids&#8221;:[&#8220;0000000a-0000-0000-c000-000000000000&#8243;,&#8221;d4ebce55-015a-49b5-a083-c84d1797ae8c&#8221;,&#8221;45a330b1-b1ec-4cc1-9161-9f03992aa49f&#8221;,&#8221;00000002-0000-0000-c000-000000000000&#8243;]}<\/li>\n\n\n\n<li>Send the request<\/li>\n\n\n\n<li>DO NOT EDIT THE POLICY AGAIN THROUGH THE INTUNE PORTAL. Otherwise your hidden id&#8217;s will be removed<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1294\" height=\"523\" src=\"https:\/\/www.lieben.nu\/liebensraum\/wp-content\/uploads\/2019\/10\/2019-10-08-15_46_21-OGD-fwd-jos@lieben.nu-Outlook.png\" alt=\"\" class=\"wp-image-3305\" srcset=\"https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2019\/10\/2019-10-08-15_46_21-OGD-fwd-jos@lieben.nu-Outlook.png 1294w, https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2019\/10\/2019-10-08-15_46_21-OGD-fwd-jos@lieben.nu-Outlook-300x121.png 300w, https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2019\/10\/2019-10-08-15_46_21-OGD-fwd-jos@lieben.nu-Outlook-1024x414.png 1024w, https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2019\/10\/2019-10-08-15_46_21-OGD-fwd-jos@lieben.nu-Outlook-768x310.png 768w\" sizes=\"auto, (max-width: 1294px) 100vw, 1294px\" \/><figcaption class=\"wp-element-caption\">Composer tab in Fiddler<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"319\" height=\"344\" src=\"https:\/\/www.lieben.nu\/liebensraum\/wp-content\/uploads\/2019\/10\/2019-10-08-15_43_44-Cloud-apps-or-actions-Microsoft-Azure.png\" alt=\"\" class=\"wp-image-3303\" srcset=\"https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2019\/10\/2019-10-08-15_43_44-Cloud-apps-or-actions-Microsoft-Azure.png 319w, https:\/\/lieben.nu\/liebensraum\/wp-content\/uploads\/2019\/10\/2019-10-08-15_43_44-Cloud-apps-or-actions-Microsoft-Azure-278x300.png 278w\" sizes=\"auto, (max-width: 319px) 100vw, 319px\" \/><figcaption class=\"wp-element-caption\">resulting message in the compliance policy in Intune<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Obviously the above method is not supported by Microsoft!<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To get some google hits, these are some of the many errors that will hit your eventlog if you didn&#8217;t do the above.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Error:\n0xCAA2000C The request requires user interaction.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Code:\ninteraction_required<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Description:\nAADSTS50076: Due to a configuration change made by your administrator, or\nbecause you moved to a new location, you must use multi-factor authentication\nto access &#8216;00000002-0000-0000-c000-000000000000&#8217;.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Trace ID:\n84d6797d-00b8-49e4-a4cf-aab381ac9400<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Correlation\nID: 9a3788e5-52cc-44a4-a468-f64816ad06d6<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Timestamp:\n2019-10-08 12:45:19Z<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TokenEndpoint:\n<a href=\"https:\/\/login.microsoftonline.com\/common\/oauth2\/token\">https:\/\/login.microsoftonline.com\/common\/oauth2\/token<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Logged at\noauthtokenrequestbase.cpp, line: 409, method:\nOAuthTokenRequestBase::ProcessOAuthResponse.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Request:\nauthority: <a href=\"https:\/\/login.microsoftonline.com\/common\">https:\/\/login.microsoftonline.com\/common<\/a>,\nclient: fc0f3af4-6835-4174-b806-f7db311fd2f3, redirect URI:\nms-appx-web:\/\/Microsoft.AAD.BrokerPlugin\/fc0f3af4-6835-4174-b806-f7db311fd2f3,\nresource: 00000002-0000-0000-C000-000000000000, correlation ID (request):\n9a3788e5-52cc-44a4-a468-f64816ad06d6<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Error:\n0xCAA2000C The request requires user interaction.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Code:\ninteraction_required<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Description:\nAADSTS50076: Due to a configuration change made by your administrator, or\nbecause you moved to a new location, you must use multi-factor authentication\nto access &#8216;<a href=\"https:\/\/substrate-dod-int.office365.us\/\">https:\/\/substrate-dod-int.office365.us\/<\/a>&#8216;.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Trace ID:\ndf1ee58f-da80-4a25-897c-51b1a7639700<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Correlation\nID: 946be868-d70e-4670-a4ea-8dac9b05fa17<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Timestamp:\n2019-10-08 12:39:06Z<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TokenEndpoint:\n<a href=\"https:\/\/login.microsoftonline.com\/common\/oauth2\/token\">https:\/\/login.microsoftonline.com\/common\/oauth2\/token<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Logged at\noauthtokenrequestbase.cpp, line: 409, method:\nOAuthTokenRequestBase::ProcessOAuthResponse.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Request:\nauthority: <a href=\"https:\/\/login.microsoftonline.com\/common\">https:\/\/login.microsoftonline.com\/common<\/a>,\nclient: 26a7ee05-5602-4d76-a7ba-eae8b7b67941, redirect URI:\nms-appx-web:\/\/Microsoft.AAD.BrokerPlugin\/S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742,\nresource: <a href=\"https:\/\/substrate.office.com\">https:\/\/substrate.office.com<\/a>,\ncorrelation ID (request): 946be868-d70e-4670-a4ea-8dac9b05fa17<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Error:\n0xCAA2000C The request requires user interaction.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Code:\ninteraction_required<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Description:\nAADSTS50076: Due to a configuration change made by your administrator, or\nbecause you moved to a new location, you must use multi-factor authentication\nto access &#8216;8f41dc7c-542c-4bdd-8eb3-e60543f607ca&#8217;.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Trace ID:\n4ba9b18c-86bb-43c9-a26b-5a3ee0a46700<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Correlation\nID: 797c75ce-46f5-436c-9b53-834ce030a6cf<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Timestamp:\n2019-10-08 13:06:43Z<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TokenEndpoint:\n<a href=\"https:\/\/login.microsoftonline.com\/common\/oauth2\/token\">https:\/\/login.microsoftonline.com\/common\/oauth2\/token<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Logged at\noauthtokenrequestbase.cpp, line: 409, method:\nOAuthTokenRequestBase::ProcessOAuthResponse.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Request:\nauthority: <a href=\"https:\/\/login.microsoftonline.com\/common\">https:\/\/login.microsoftonline.com\/common<\/a>,\nclient: {6F7E0F60-9401-4F5b-98E2-CF15BD5Fd5E3}, redirect URI:\nms-appx-web:\/\/Microsoft.AAD.BrokerPlugin\/{6F7E0F60-9401-4F5b-98E2-CF15BD5Fd5E3},\nresource: <a href=\"https:\/\/cs.dds.microsoft.com\">https:\/\/cs.dds.microsoft.com<\/a>,\ncorrelation ID (request): 797c75ce-46f5-436c-9b53-834ce030a6cf<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Error:\n0xCAA2000C The request requires user interaction.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Code:\ninteraction_required<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Description:\nAADSTS50076: Due to a configuration change made by your administrator, or\nbecause you moved to a new location, you must use multi-factor authentication\nto access &#8216;d32c68ad-72d2-4acb-a0c7-46bb2cf93873&#8217;.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Trace ID:\n57216986-a61a-4fbe-8f4a-6516a4da7800<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Correlation\nID: 4fe8fddb-3fbd-488d-82da-73286d556d85<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Timestamp:\n2019-10-08 13:06:08Z<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TokenEndpoint:\n<a href=\"https:\/\/login.microsoftonline.com\/common\/oauth2\/token\">https:\/\/login.microsoftonline.com\/common\/oauth2\/token<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Logged at\noauthtokenrequestbase.cpp, line: 409, method:\nOAuthTokenRequestBase::ProcessOAuthResponse.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Request:\nauthority: <a href=\"https:\/\/login.microsoftonline.com\/common\">https:\/\/login.microsoftonline.com\/common<\/a>,\nclient: {6F7E0F60-9401-4F5b-98E2-CF15BD5Fd5E3}, redirect URI:\nms-appx-web:\/\/Microsoft.AAD.BrokerPlugin\/{6F7E0F60-9401-4F5b-98E2-CF15BD5Fd5E3},\nresource: <a href=\"https:\/\/activity.microsoft.com\">https:\/\/activity.microsoft.com<\/a>,\ncorrelation ID (request): 4fe8fddb-3fbd-488d-82da-73286d556d85<\/p>\n","protected":false},"excerpt":{"rendered":"<p>EDIT: this no longer works and results in an UnSupportedFirstyPartyApplication or ServicePrincipalNotFound error. If you set an Intune conditional access policy to target ALL applications in Azure AD with MFA, a new Windows 10 device will not be able to fully install, and will never become usable for the user. This is because your client &hellip; <a href=\"https:\/\/lieben.nu\/liebensraum\/2019\/10\/hidden-exceptions-to-conditional-access-mfa\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">hidden exceptions to conditional access MFA<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[22],"tags":[],"class_list":["post-3302","post","type-post","status-publish","format-standard","hentry","category-intune"],"_links":{"self":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/3302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/comments?post=3302"}],"version-history":[{"count":0,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/3302\/revisions"}],"wp:attachment":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/media?parent=3302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/categories?post=3302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/tags?post=3302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}