This article discusses a niche scenario in which a federation between an Azure AD Hybrid Joined environment and Okta could result in Windows 10 PC licenses being downgraded from Windows 10 Enterprise to Windows 10 Professional.
- Azure Hybrid Join
- Microsoft Subscription Activation
- Microsoft Office 365 with WS-Federation
- Windows Operating Systems
In this scenario, a Windows machine in an Azure AD Hybrid Joined environment is using Microsoft's Subscription Activation service to obtain its license. With this feature, the end user PC will attempt to validate its enhanced subscription to Windows Enterprise by way of the Microsoft Store. If the user's domain is federated with Okta as its Identity Provider, this authentication attempt will pass to the Okta tenant for Authentication against the Office 365 app's Authentication Policy. However, the Microsoft Store is unable to use Modern Authentication and instead utilizes basic authentication (Username/Password) for the authentication attempt.
Checking the Okta Logs, an authentication attempt will be seen for this event upon login to the PC, which can be identified by the RawUserAgent "Windows-AzureAD-Authentication-Provider/1.0”.
If the MS Office 365 application's Authentication Policy in Okta dictates that only Modern Authentication is accepted, as is a recommended best practice, then these specific authentication attempts will fall to the default catch-all rule and be denied login. This will appear in the System Log similar to:
When this authentication attempt fails, the MS Store is unable to authenticate, and thus, the Subscription Activation feature is unable to process the licensing level request for the PC, and so the PC's Windows Operating System is downgraded from Enterprise to Professional.
To resolve this error, Okta Administrators may reconfigure or add additional Policy rules that allow for this specific User Agent to successfully authenticate. More information on how to allow these basic authentication attempts is outlined in the "Evaluation of Sign-On Policy Deny" Events With User Agent "Windows-AzureAD-Authentication-Provider/1.0" article.
NOTE: There is no way to make the MS Store use modern authentication presently. There are security concerns in allowing this type of authentication, which are outlined in Securing Office 365 with Okta.
If this security concern cannot be allowed, Windows Administrators may alternatively opt for a Key Management Services Server (KMS) for Windows licensing in Hybrid Joined domains.
