Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUESTION] Brief description #159

Open
5 tasks
rolandraijmakers opened this issue Oct 31, 2022 · 1 comment
Open
5 tasks

[QUESTION] Brief description #159

rolandraijmakers opened this issue Oct 31, 2022 · 1 comment
Assignees
@KoenZomers
Labels
need to test

Comments

@rolandraijmakers
Copy link

Describe your question
The conditional Access rule gives 'Success', but where still not able to login.
Screenshots
See log detail at end of this question

  • Appllication 'KoenZomersOneDrive' is excluded form conditional Access Policys but still Azure stil refuses to grant Access.
  • Under Conditional Access Policy Details - Access Controls - Grant Controls we get a error "Not Satisfied Require compliant device".
  • Under chrome there are no specific deviced details communicated , Under Edge the login is fully compliant.
  • In either Chrome of Edge we have a similar error message 530033 Remote device flow blocked due to a device based conditional access rule.

Versions (please complete the following information):

  • KeePass e.g. 2.52:
  • KeePass OneDriveSync Plugin 2.1.1.2:

Authentication method

  • [ X ] Microsoft Graph (any browser) (Edge and Chrome)
  • Microsoft Graph (built in browser)
  • OneDrive
  • OneDrive for Business
  • SharePoint 2013/2016/2019

KeePass database synced with

  • [ X ] OneDrive for Business
  • OneDrive Personal

Details

Date 31/10/2022, 15:25:20
Request ID f3b2f186-5fa5-464f-8cc5-ef3de9aa1a00
Correlation ID c07062d5-32f8-414f-b8a2-78a8bbde4de1
Authentication requirement Multifactor authentication
Status Failure
Continuous access evaluation No
Sign-in error code 530033
Failure reason Remote device flow blocked due to device based conditional access.
Additional Details This request is authorizing a remote device, and there is a conditional access policy that requires device authentication. The request is blocked because we cannot assert the properties of the remote device. View the Conditional Access information for this request in the sign-in logs for more details about the policy applied here.
Troubleshoot Event

Follow these steps:

Launch the Sign-in Diagnostic.
Review the diagnosis and act on suggested fixes.

User Roland Raijmakers
Username [email protected]
User ID 2cbe6d44-22b9-4637-b54e-c8ae4458b88d
Sign-in identifier User type
Member Cross tenant access type
None
Application Koen Zomers OneDrive Sync v2
Application ID 7bcec80a-2ffe-4713-b9ea-0150361c8209

Resource Microsoft Graph
Resource ID 00000003-0000-0000-c000-000000000000
Resource tenant ID e615e47b-7994-469f-9303-f4f0c2e5cbc2
Home tenant ID e615e47b-7994-469f-9303-f4f0c2e5cbc2
Home tenant name Client app

Mobile Apps and Desktop clients
Client credential type None
Service principal ID
Service principal name
Resource service principal ID 50a6f207-0d45-4e22-9d56-9c7f6b071dce
Unique token identifier hvGy86VfT0aMxe896aoaAA
Token issuer type Azure AD
Token issuer name Incoming token type
Primary refresh token Authentication Protocol
None
Latency 253ms
Flagged for review Yes
User agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26

################################################################################################
Conditional Access Policy details
Policy: Windows, Linux and MacOS
Policy state: Enabled
Result: Failure

Assignments
User Roland Raijmakers Matched

Application Koen Zomers OneDrive Sync v2 Matched (All apps included)

Conditions
Device platform Matched
Location Gennep, NL Matched 94.208.30.174

Client app
Mobile Apps and Desktop clients Matched

Device 10cf706e-25dc-4943-83f9-aee2e5ec9c6b Not configured
User risk Not configured Access controls

Grant Controls Not satisfied Require compliant device
Session Controls Not configured
@rolandraijmakers
Copy link
Author

rolandraijmakers commented Dec 16, 2022
edited
Loading

Hello Koen,

I've done some research. It seems that the KeePassOnedrive Plugin doesn't send back the deviceid from my laptop within the authorization request. The conditinal access rule set in intune checks for compatible and authorized devices. This happens when i use the first sync option where authentication is done via my default browser (Google Chrome with the Windows 10 accounts extension or Microsoft Edge with builtin Windows 10 accounts extension).
Conditional Access rules define two things; a know device within our organisation and a compliant device. As long as the device id is left out of the authorization request, the reguest will be rejected.

To be more specific: the device ID is the device Id in Azure AD.
From another application I see in the logging following on my account in Azure information

  • Device ID (Within Azurde AD / Intune) ; not posted for security reasons
  • Browser: Chrome 108.0.0
  • Operating system: Windows 10
  • Compatible (within Intune) : Yes
  • Managed (within Intunte) : Yes
  • Jointype: Azure AD joined

From our system engineer I also got the suggestion that Microsoft has ended support for Basic Authentication sinds october 1st. Only Modern authentication is supported.

I have workarround and that is to use the second authorization option (Built in browser). and saving te login tokens on my local computer. This option I rather not use because I think the first sync option is safer.

Roland Raijmakers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KoenZomers KoenZomers

Labels
need to test
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KoenZomers @rolandraijmakers