Just added my Yubikey to my Microsoft Account URL "Passwordless Account" ON. But I don't get prompted for "Touch the USB" :-( I'm only offered PIN or Password after I've locked the PC. Is there something else I have to do? Another setting?
You cannot currently use a FIDO2 security key for sign in to Windows with a Microsoft consumer account.
The link posted in the comment is for AAD (work/school accounts).
According to yubikey document(https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide):
Yubico Login for Windows does not support any of the following:
Active Directory (AD) managed accounts
Azure Active Directory (AAD) managed accounts
Microsoft Accounts (MSA)
Related
When we try to login to a new windows computer (windows 10 & 11) using our office365 user, with our own domain email (user#ourdomain.com) we get the following error:
"Looks like this isn't a Microsoft account. Try another email or sign up for a new one."
When we try to create a new account we get the following error:
"You can't sign up here with a work or school email address. Use a personal email, such as Gmail or Yahoo!, or get a new Outlook email."
Anyone know how we can achieve that? Opened a few support tickets # Microsoft, but nobody could find a solution yet.
Thanks,
Are these PCs already joined to Azure Active Directory?
An administrator of your company's tenant needs to join the PCs to the O365 tenant.
Then it should be possible to login using the companys email/upn.
To break the problem down, all I am trying to do is use a security key (FIDO2 security key) with my Microsoft account (hotmail) to log into my PC. Does anyone know how I can best do this?
Details of my attempt using Azure AD:
I have an AAD tenant where security keys have been enabled for all users. When creating a user in AAD, setting up the key for that user in http://myprofile.microsoft.com/ and then AAD joining my PC, I can login to my PC with the registered security key to that particular account.
However, if I invite an external user with a regular "#outlook" or "#hotmail" account to my AAD, I cant login to http://myprofile.microsoft.com/ since this user is not added to the "Microsoft Services" tenant and can not access application '19db86c3-b2b9-44cc-b339-36da233a3be2'(My Access). Instead I tried setting up the security key in account.microsoft.com for microsoft accounts.
Since my PC is AAD joined with the AAD user, the security option is there during login and with that I tried signing in to my "#hotmail" account on my PC with the security key I set up for that account. That seemed to initially work until it finally said "You can't sign in with this account. Try another account"
Does anyone know how to set up security keys for regular microsoft accounts or how to possibly add an external to the 'Microsoft Services' tenant?
Thanks!
Currently only work or school account is supported for azure ad joined devices. The guest Microsoft account is not supported.
If you have a pc which is not azure ad joined you can login to that pc with Microsoft account. You can check the detailed information from this article
Okay, I think I did something stupid here. I had forgotten my Win10 user account (steph) Password. This is an admin account.
1) Using a Linux-type usb-boot utility, I've been able to blank the password. Upon reboot, I entered a blank password but I still cannot login, it seems that my account physically on the computer now doesn't match my Hotmail credentials -or something- and I'm still locked out.
2) Using the same Linux usb boot utility, I've unlocked the 'Administrator' account. Now I can login using the 'Administrator' account but from the Control Panel, I cannot change my own user account (steph) password, the option for it is just not there (perhaps it's because the password is believed to be blank?)
3) Later I've been able to find the piece of paper on which I wrote my original password for my own account.
Q: Is there's a way to set my original password back to what it was in order to unlock my account?
Thanks.
Many Linux usb boot utilities can work with local account only. I suggest you set up a new Microsoft account on your PC, and point it to your old profile directory. Then remove your original Microsoft account from Control Panel.
I am making a very simple marketplace app using the new SDK (Oauth 2.0). One of the steps would be to automatically invite team members for a closed group so I would need access to team members (users in same domain) from the user that is starting the process going through the default "navigator icon in google navigation menu".
This is working fine, however it is only working for administrators (tried with both Directory API and Profiles data API).Is there a way to simply "read" the email from users without needing to have administrator rights? It seems quite an overkill to ask a user to be administrator just for the purpose of being able to invite his team members.
These email addresses are in the user contact list for example, when writing an email they are automatically there so it shoulnt be much of permission problem I guess. can anyone help a bit on how I can accomplish this? Maybe a different API that I have not found?
Very much appreciated,
Best regards,
Joao Garin
You can use "Service Accounts" to access the Directory API on behalf of the Administrator when any user accesses the App.
The Drive API has a really good set of samples here - https://developers.google.com/drive/delegation
This same technique will work with Admin SDK. The end result is the auth is not made on behalf of the user at the keyboard but as an authorized Service Account. This Service Account is authorized by the admin at the time of install.
I want to authenticate my mvc application by microsoft. I successfully done with Facbook, Google and Twitter, but when i click on Microsoft then the error `We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later`
is coming.
I successfully created an app and paste the Client ID and Client Secret in my mvc application . But I do not know the real problem
What is the return URL that you specified for the given Client ID and Client Secret? If the site is not running under that specific URL (e.g. is running under localhost whilst you are in dev mode), you can get this error message.
In my case I had my gmail account configured as my primary Microsoft Live account once I changed this to my Hotmail account as the primary account and then created a new app with a new name Client ID and Secret it started working for me.
The gmail account worked signing in as a gmail user on my app Identity Provider being Google to give some background this is the account I used as my Microsoft Account. I suspect my Microsoft account using my gmail user name and password confused the MS identity Provider thus resulting in the error. So avoid using a different Identity Providers credentials to authenticate with a different Identity provider if testing this. One account per Identity provider not associated to other Identity providers.
Since the Google account had been my primary for the other Identity Providers when I logged into the App as this I as essentially I suspect therefore already logged in with my Microsoft account.
Step 1:-
Open Application Registration Portal of Microsoft [https://apps.dev.microsoft.com] where you have Registered your Application.
You need to make change in Redirect URIs
For example :-
The URI which is Registered
URL:- http://localhost:8000
Change to make in URI :-
Just Add :- [/signin-microsoft] at end of URL It works
URL:- http://localhost:8000/signin-microsoft
Finally save your setting and try again it will work.
In my case, it failed when I used my personal Outlook account to login.
Once I switched to an Office 365 account, it started working.