What's new
Forums on Intune, SCCM, and Windows 11

Welcome to the forums. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your topics and posts, as well as connect with other members through your own private inbox!

SOLVED OOBE with a federated domain user fails

  • Thread starter Thread starter Bhatsy
  • Start date Start date
  • Replies Replies 3
  • Views Views 6K
Status
Not open for further replies.
B

Bhatsy

New Member
Messages
3
Solutions
1
Reaction score
0
Points
1
Hi We are running Autopilot in our environment and running into an issue.
Below is our setup
Intune Tenant: azureadonly.onmicrosoft.com
Federated domain: azuread-only.com (Federates to a passwordless IdP)

The machine boots up and gets to the custom branded page where the user is asked to login. When the user enters an onmicrosoft.com email address the screen moves to the next screen as presents a password prompt. However, when the user enters the federated domain email address (Domain verified on Azure AAD) the error " We didn't find that email address in your organization. Use another email address or contact your admin". Attached are fiddler traces. The trace shows the machine is trying to connect to intune at onmicrosoft.com tenant. How do we verify the federated domain in Intune like the way we have verified it on Azure. Seems like Intune doesnt recognize users that are on the federated domain.
 

Attachments

  • FiddlerSession.saz.txt
    FiddlerSession.saz.txt
    269 KB · Views: 10
  • Screen Shot 2022-09-12 at 10.56.16 PM.png
    Screen Shot 2022-09-12 at 10.56.16 PM.png
    283.4 KB · Views: 23
  • Screen Shot 2022-09-12 at 10.56.55 PM.png
    Screen Shot 2022-09-12 at 10.56.55 PM.png
    263.5 KB · Views: 23
  • Screen Shot 2022-09-12 at 10.59.28 PM.png
    Screen Shot 2022-09-12 at 10.59.28 PM.png
    118.2 KB · Views: 25
Solution
B
Just wanted to close the loop on this one if anyone needs help on this. We fixed this issue by using WS FED based federation instead of SAML. Microsoft clearly has some bugs they need to address with SAML based federations to 3rd party IdP.
Sort by date Sort by votes
1663168929701.png
  • Go to Active directory users and domain
  • find the user
  • properties -> Attribute editor tab -> edit proxyAddresses
  • Add this entry - SMTP:<email address>
  • Apply and click ok.

Once the above steps are done, run the full synchronization. (Ensure the user OU is added in the container)


Next, go to Azure AD and verify the user principal name . it should reflect to correct domain name.

Try login .
 
Upvote 0 Downvote
Hi Muneer. Thank you so much for responding. This is an azure only tenant. There is no on prem active directory. The user is created as Is there any other attribute I can modify for this user on Azure AD? Also, the only difference is that azuread-only.com is not a managed domain. Its a federated domain federated to a 3rd party idP over SAML.
 
Upvote 0 Downvote
Just wanted to close the loop on this one if anyone needs help on this. We fixed this issue by using WS FED based federation instead of SAML. Microsoft clearly has some bugs they need to address with SAML based federations to 3rd party IdP.
 
Upvote 1 Downvote
Solution
Status
Not open for further replies.

Similar threads

  • What's new in Microsoft Intune: March 2026
  • PENDING 0x80004005 error when deploying an application in a task sequence
  • SOLVED Problems upgrading Win11 23H2 --> 25H2 PCs using SCCM OSD
  • PENDING MECM clients from trusted forest install successfully but remain in “Unknown” status
  • PENDING Device cannot connect due to PKI error

    • Forum statistics

    Threads
    7,211
    Messages
    28,130
    Members
    18,399
    Latest member
    dimasyandr

    Latest posts

    Trending content
    Back
    Top