ESR settings do not sync with multi-factor authentication enabled


You have enabled Enterprise State Roaming (ESR) in the Azure Active Directory portal and on some Windows 10 clients. Any supported settings for sync, such as the desktop background or task bar position, do not sync between devices for the same user. The following events 1098 and 1097 are logged in the Microsoft-Windows-AAD/Operational event log: 

Log Name:      Microsoft-Windows-AAD/OperationalSource:        Microsoft-Windows-AADEvent ID:      1098Task Category: AadTokenBrokerPlugin OperationLevel:         ErrorKeywords:      Error,ErrorComputer:      Win10client.contoso.comDescription:Error: 0xCAA2000C The request requires user interaction.Code: interaction_requiredDescription: AADSTS50076: The user is required to use multi-factor authentication to access this resource. Please retry with a new authorize request for the resource '*'.Trace ID: <Trace ID GUID>Correlation ID: <Correlation ID GUID>Timestamp: 2016-03-09 01:30:38ZTokenEndpoint: ID: <Client ID GUID>Redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/<Client ID GUID>Resource:*Correlation ID (request): <Correlation ID GUID>Log Name:      Microsoft-Windows-AAD/OperationalSource:        Microsoft-Windows-AADEvent ID:      1097Task Category: AadTokenBrokerPlugin OperationLevel:         WarningKeywords:      Operational,OperationalComputer:      Win10client.contoso.comDescription:Error: 0xCAA90004 Getting token by refresh token failed.Authority: ID: <Client ID GUID>Redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/<Client ID GUID>Resource:*Correlation ID (request): <Correlation ID GUID>
Multi-factor authentication (MFA) is enabled, and therefore Enterprise State Roaming will not prompt the user for additional authorization.
If your device is configured to require multi-factor authentication on the Azure Active Directory portal, you may fail to sync settings while signing in to a Windows 10 device using a password. This type of multi-factor authentication configuration is intended to protect an Azure administrator account. Admin users may still be able to sync by signing in to their Windows 10 devices with their Microsoft Passport for Work PIN or by completing multi-factor authentication while accessing other Azure services, such as Microsoft Office 365.

Sync can fail if the Azure AD Administrator configures the Active Directory Federation Services multi-factor authentication conditional access policy, and the access token on the device expires. Make sure that you sign in and sign out using the Microsoft Passport for Work PIN or complete multi-factor authentication when accessing other Azure services like Office 365.
More information
Microsoft is investigating how to improve the experience with Enterprise State Roaming and MFA authorization enabled on the device. 

For more information, see Settings and data roaming FAQ.

Id. de artículo: 3193683 - Última revisión: 10/06/2016 18:57:00 - Revisión: 3.0

Windows 10 Version 1511, Windows 10 Version 1607

  • KB3193683