Symptoms

Upon enrolling a Windows device for the Windows Desktop Login, the enrollment fails with the error “Unable to enroll with Azure AD.”

Beyond Identity log message:

[2023-05-10 23:01:39.296Z] DL Enrollment: Unable to write key to Azure AD Error:RC_AzureAdGraphPatchRequestResponseFailure ::BIAzureLibrary::AzureAD::ERROR: Failed to get Azure AD Graph PATCH HTTP Response : The remote server returned an error: (403) Forbidden.

Affected Platforms

Beyond Identity Windows Desktop Login Platform Authenticator running on Windows 10 and 11.

Root Cause

Beyond Identity uses Microsoft Azure Graph API to write the Windows login key into Microsoft Azure AD at the time of enrollment. Beyond Identity uses Microsoft Azure Graph API call to update user attributes using a PATCH operation.

Microsoft rolled out some updates on Monday, May 8th, 2023 that led to some Microsoft Azure tenants being unable to perform the update API call.

Microsoft is aware of this issue and is currently working towards identifying the root cause; and has documented the problem with an incident ticket on the Microsoft Azure Support side with Tracking ID #2305090010002115.

Impact

Beyond Identity authentication and Beyond Identity as MFA to SSO services like Okta, Ping, Microsoft, etc., are not impacted.

Only Beyond Identity Windows Desktop Login Enrollment is impacted.

Who is not impacted?

• Customers not using Beyond Identity Windows Desktop Login are not impacted.
• Customers using Beyond Identity authentication to their SSO are not impacted.
• Customers using Beyond Identity authentication to their SSO as MFA are not impacted.
• Existing users who are already onboarded and enrolled with Beyond Identity Windows Desktop login are not impacted.

Who is impacted?

• New users enrolling with the Beyond Identity Windows Desktop Login solution might be impacted by this issue.

NOTE: Microsoft has confirmed that this issue might not be widespread and might not impact your Microsoft Azure tenant. Also, note that the behavior may vary if you have multiple Microsoft Azure tenants.

Next Steps 

The Beyond Identity engineering team evaluates short-term and long-term solutions for the Windows Desktop Login enrollment issue.

Short Term

Currently, we have a solution for the Hybrid Joined devices.

Steps

Update the Beyond Identity Windows Desktop Login application to version 2.79.1 (or later) and follow the WDL Azure hybrid configuration guide Appendix C.

https://support.beyondidentity.com/hc/en-us/articles/13440340487063 Appendix C: Azure AD Connect Configuration is towards the end of the article.

Please work with your Beyond Identity Deployment Engineering team to implement the short-term fix to work around the problem.

We are evaluating other options for Azure AD (only) Joined devices and will update the KB article accordingly with more details.

Long Term

The Beyond Identity engineering team works with Microsoft to negate the dependency of the Microsoft Azure Graph API calls causing issues with the Beyond Identity Windows Desktop Login enrollment.