Symptoms

Upon enrolling a Windows device for the Windows Desktop Login, the enrollment fails with the error “Unable to enroll with Azure AD.”

Beyond Identity log message:

[2023-05-10 23:01:39.296Z] DL Enrollment: Unable to write key to Azure AD Error:RC_AzureAdGraphPatchRequestResponseFailure ::BIAzureLibrary::AzureAD::ERROR: Failed to get Azure AD Graph PATCH HTTP Response : The remote server returned an error: (403) Forbidden.

Affected Platforms

Beyond Identity Windows Desktop Login Platform Authenticator running on Windows 10 and 11.

Root Cause

Beyond Identity uses Microsoft Azure Graph API to write the Windows login key into Microsoft Azure AD at the time of enrollment. Beyond Identity uses Microsoft Azure Graph API call to update user attributes using a PATCH operation.

Microsoft rolled out some updates on Monday, May 8th, 2023 that led to some Microsoft Azure tenants being unable to perform the update API call.

Impact

Beyond Identity authentication and Beyond Identity as MFA to SSO services like Okta, Ping, Microsoft, etc., are not impacted.

Only Beyond Identity Windows Desktop Login Enrollment is impacted.

Who is not impacted?

• Customers not using Beyond Identity Windows Desktop Login are not impacted.
• Customers using Beyond Identity authentication to their SSO are not impacted.
• Customers using Beyond Identity authentication to their SSO as MFA are not impacted.
• Existing users who are already onboarded and enrolled with Beyond Identity Windows Desktop login are not impacted.

Who is impacted?

• New users enrolling with the Beyond Identity Windows Desktop Login solution might be impacted by this issue.

Solution

New and existing customers using the Windows Desktop Login Solution must upgrade to the Windows Desktop client to 2.80.x or later, and the Domain Connector must be upgraded to 2.80.x or a later version.