Error: “Confirm you are using the correct sign-in info, and that your workplace uses this feature”

Are you trying to enroll to Intune but after pressing “Turn on” getting the following error: 

Confirm you are using the correct sign-in info, and that your workplace uses this feature.
Also, the connection to your workplace might not be working right now. Please wait and try
again.

image

Depending on which solution you use to manage mobile devices, the answer is different. Let’s look at both of them:

Option 1 – You are using standalone Windows Intune to manage mobile devices

This means you are using the Windows Intune website to manage devices. You are NOT using ConfigMgr 2012 in combination with the Windows Intune connector.

Solution 1:

Make sure that your standalone Windows Intune is configured to be the mobile device management authority.
You can find the technet article that explains it all here.

If you want to use your public domain for users to enroll (e.g. user1@contoso.com) you will have to add the domain to Windows Intune and prove ownership by adding some DNS entries.

- Browse to the Windows Intune admin portal and add the domain
- Change the DNS

  • Prove ownership by adding the requested DNS entries (I prefer adding MX records instead of TXT)
  • While you are at it, add a CNAME to automate enrollment on Windows 8.1 devices:
  • Alias name: enterpriseenrollment
  • Target: manage.microsoft.com

- Wait a bit, in my experience it takes one or two hours.
- Verify your domain ownership at the same portal.

Create a user, assign a license and confirm the credentials are working on the Intune Web Portal.
During first logon you will need to change your password.

If all succeeds, you should be able to enroll your Windows device using the “Turn On” button in Workplace settings.

Solution 2:

Let’s imagine you want to use your “user1@tenant.onmicrosoft.com” user/domain OR your own verified domain without changing any DNS entries to enroll to Windows Intune, follow this workaround.

We need to add a registry key to enable Windows finding your Intune management server.
Open notepad, copy and paste the following text and save it as “discovery.reg” (including the quotes).

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]
"DiscoveryService"="manage.microsoft.com"

Now doubleclick the “discovery.reg” file and confirm the import.

Create a user, assign a license and confirm the credentials are working on the Intune Web Portal.
During first logon you will need to change your password.

If all succeeds, you should be able to enroll your Windows device using the “Turn On” button in Workplace settings.

Option 2 – You are using Intune managed via ConfigMgr 2012 (a.k.a. Hybrid or UDM)

1) The UPN used probably does not match the UPN in your local Active Directory. It’s likely you are trying to enroll using user1@tenant.onmicrosoft.com while the user in your local active directory has a different UPN (e.g. user1@contoso.com).

Solution 1:

For testing purposes, you can add the “tenant.onmicrosoft.com” UPN to your local active directory. In Active Directory Users and Computers, check that the user has this UPN set.

I assume you already have dirsync in place. If not:

  • Download and enable dirsync in the admin portal
  • Dirsync all users in the domain or a specific OU to Windows Intune (WAAD)
  • After a while (depends on the number of accounts) you should see users appear in the user section of the admin portal

Perform a manual dirsync using the powershell commandlet  

  • Open "C:\Program Files\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1" on your dirsync server.
  • Type “Start-OnlineCoexistenceSync” and hit enter.

Continue to the “Try the Intune Web Portal before touching any mobile device” section of this post.

Solution 2:

The nicest solution is to use your own public domain name, this means users can authenticate to Windows Intune using their e-mail address (e.g. user1@contoso.com).

- Browse to the Windows Intune admin portal and add the domain
- Change the DNS

  • Prove ownership by adding the requested DNS entries (I prefer adding MX records instead of TXT)
  • While you are at it, add a CNAME to automate enrollment on Windows 8.1 devices:
  • Alias name: enterpriseenrollment
  • Target: enterpriseenrollment.manage.microsoft.com

- Wait a bit, in my experience it takes one or two hours.
- Verify your domain ownership at the same portal.

Now back to your on premise stuff :

  • Make sure the same UPN is added to your local AD. In Active Directory Users and Computers, check that the user has this UPN set (e.g. user1@contoso.com).

I assume you already have dirsync in place. If not:

  • Download and enable dirsync in the admin portal
  • Dirsync all users in the domain or a specific OU to Windows Intune (WAAD)
  • After a while (depends on the number of accounts) you should see users appear in the user section of the admin portal

Force a ConfigMgr user discovery:

6366_image_343A7DD8

If the UPN of the local AD user matches the UPN found on the Intune user page – you should get a “cloud ID” in your local ConfigMgr SQL database.
In the screenshot below, I have used the following query. Make sure to replace the name “Pieter”:

select user_name0,cloudUserID from USer_disc where Name0 like '%pieter%'

0211_image_2E81F4E3

In this screenshot you can see that the user PieterW has a cloud ID and is able to use Windows Intune. The user Pieter however does not have a cloud ID and therefore can’t use Windows Intune at this point.

Try the Intune Web Portal before touching any mobile device

After a few minutes users should be able to enroll to intune, first test using the https://portal.manage.microsoft.com/ . If you can logon and see an “app” section it works – congrats - you can continue testing on a mobile device.

If the user is unable to authenticate or receives an error after login in, please consult my other post.

Did I help you? Please consider leaving a reply.