Microsoft Teams Mac Modern Authentication Failed

Posted on by

May 29, 2019 Here are additional new finding with new Teams version 1.2.00.13765 (no longer seeing the Modern authentication failed error) and to summarize my problem. Scenario 1: UserA has a domain joined ComputerA on internal network (his own computer) and he can log on to Teams without any problems even completely close it and relaunching Teams. The Teams desktop client equivalent of rebuilding an Outlook profile and a mailbox’s OST (offline store) is to blow away the Teams cache, which you’ll find at%AppdataRoamingMicrosoftTeams.

-->

Note

Web-based authentication on mobile clients requires version 1.4.1 or later of the Teams JavaScript SDK.

In order for your app to access user information protected by Azure Active Directory, as well as access data from other services like Facebook and Twitter, your app will have to establish a trusted connection with those providers. If your app needs to use Microsoft Graph APIs in the user scope, you'll also need to authenticate the user to retrieve the appropriate authentication tokens.

In Microsoft Teams there are two different authentication flows for your app to take advantage of. You can perform a traditional web-based authentication flow in a content page embedded in a tab, a configuration page, or a task module. If your app contains a conversational bot you can use the OAuthPrompt flow (and optionally the Azure Bot Framework's token service) to authenticate a user as part of a conversation.

Web-based authentication flow

You'll need to use the web-based authentication flow for tabs, and can choose to use it with conversational bots or messaging extensions. You'll use the Microsoft Teams JavaScript client SDK in a web content page to enable authentication, then embed that content page in a tab, a configuration page, or a task module. If you want to use the web-based authentication flow with a conversational bot, you'll need to use a task module with a bot.

Microsoft Teams Tab Authentication

  • Authentication flow in tabs describes how tab authentication works in Teams. This shows a typical web based authentication flow used for tabs.
  • Azure AD authentication in tabs describes how to connect to Azure Active Directory from within a tab in your app in Teams.
  • Silent authentication (Azure AD) describes how to reduce sign-in/consent prompts in your app using Azure Active Directory.
  • Web-based authentication in dotnet/C# or JavaScript/Node.js

The OAuthPrompt flow for conversational bots

The Azure Bot Framework’s OAuthPrompt makes authentication easier for apps using conversational bots. You can take advantage of Azure Bot Framework's token service to assist with token caching as well.

For more information on using the OAuthPrompt see:

  • Bot authentication flow overview describes how authentication works within a bot in your app in Teams. This shows a non-web based authentication flow used for bots on all versions of Teams (web, desktop app, and mobile apps)
  • Bot authentication (v3 SDK) sample in dotnet/C# or JavaScript/Node.js

Configure your identity provider

Regardless of which authentication flow your app is using (you might even be using both), you'll need to configure your identity provider to communicate with your Teams app. The majority of the samples and walkthroughs you'll find here will deal primarily with using Azure Active Directory as your identity provider. The concepts however apply regardless of which identity provider you'll use.

For more information see configuring an identity provider

-->

Microsoft Teams uses modern authentication to keep the sign-in experience simple and secure. To see how users sign in to Teams, read Sign in to Teams.

How modern authentication works

Modern authentication is a process that lets Teams know that users have already entered their credentials (like their work email and password) elsewhere, and they shouldn't be required to enter them again to start the app. The experience will vary depending on a couple factors, like if users are working in Windows or on a Mac. It will also vary depending on whether your organization has enabled single-factor authentication or multi-factor authentication (multi-factor authentication usually involves verifying credentials via a phone, providing a unique code, entering a PIN, or presenting a thumbprint). Here's a rundown of each modern authentication scenario.

Windows users

  • If users have already signed in to other Office apps through their Office 365 Enterprise account, when they start Teams they're taken straight to the app. There's no need for them to enter their credentials.

  • If users are not signed in to their Office 365 Enterprise account anywhere else, when they start Teams, they're asked to provide either single-factor or multi-factor authentication (SFA or MFA), depending on what your organization has decided they'd like the process to entail.

  • If users are signed in to a domain-joined computer, when they start Teams, they might be asked to go through one more authentication step, depending on whether your organization opted to require MFA or if their computer already requires MFA to sign in. If their computer already requires MFA to sign in, when they open up Teams, the app automatically starts.

  • If users are signed in to a domain-joined computer and you don't want their user name pre-populated on the Teams sign-in screen, admins can set the following Windows registry to turn off pre-population of the user name (UPN):

    ComputerHKEY_CURRENT_USERSoftwareMicrosoftOfficeTeams
    SkipUpnPrefill(REG_DWORD)
    0x00000001 (1)

    Note

    Skipping or ignoring user name pre-fill for user names that end in '.local' or '.corp' is on by default, so you don't need to set a registry key to turn these off.

Mac users

When users start Teams, their computer won't be able to pull their credentials from their Office 365 Enterprise account or any of their other Office applications. Instead, they'll see a prompt asking them for SFA or MFA (depending on your organization's settings). Once users enter their credentials, they won't be required to provide them again. From that point on, Teams automatically starts whenever they're working on the same computer.

Microsoft modern authentication ios

Switching accounts after completing modern authentication

If users are working on a domain-joined computer (for example, if their tenant has enabled Kerberos), they cannot switch user accounts once they've completed modern authentication. If users are not working on a domain-joined computer, they can switch accounts.

Signing out of Teams after completing modern authentication

To sign out of Teams, users can click their profile picture at the top of the app, and then select Sign out. They can also right-click the app icon in their taskbar, and then select Log out. Once they've sign out of Teams, they need to enter their credentials again to launch the app.

URLs and IP address ranges

Teams requires connectivity to the Internet. To understand endpoints that should be reachable for customers using Teams in Office 365 plans, Government and other clouds, read Office 365 URLs and IP address ranges.

Important

Teams presently requires access (TCP port 443) to the Google ssl.gstatic.com service (https://ssl.gstatic.com) for all users; this is true even if you're not using Gstatic. Teams will remove this requirement soon (early 2020), and we'll update this article accordingly at that time. Microsoft office 2011 for mac key code 7.

Troubleshooting modern authentication

Microsoft teams mac modern authentication failed to server

Microsoft Teams Room Modern Authentication

Modern authentication is available for every organization that uses Teams, so if users are not able to complete the process, there might be something wrong with your domain or your organization's Office 365 Enterprise account.

Microsoft Teams Mac Modern Authentication Failed Windows 7

For more information, see Why am I having trouble signing in to Microsoft Teams?