locked
Probable Issue with Microsoft AAD Broker Plugin RRS feed

  • Question

  • Good morning,

    Whenever myself or a few other users come into work and dock our machines (in this case Surface Pro 4s), everytime our machine wakes up and Outlook is open, we get a blank MFA box that fails to load. I believe this is Microsoft AAD Broker plugin failing. The issue with this blank MFA window is that you cannot use Outlook, nor close it or do anything. You have to kill the task via task manager. This isn't that big of an issue for me personally, but for my confused/angry users, they want a fix. One of my users had an issue where he couldn't even use his Outlook at all (or Publisher...which we just opened as a test), everytime we killed Outlook and reopened it, the blank MFA window would just pop back up.

    Now, I'm not sure if this is causing the issue or not, but we didn't have problems until we enabled "Site to Zone Assignment List" GPO. I think there is some bug going on with the combination of this GPO, the broker plugin, whitelisted IP addresses, and the machine leaving the domain during sleep mode (wireless stays on and changes IP, maybe that triggers the bug?)

    This issue (a more serious issue actually) dates back to June for me, I have dozens and dozens of screenshots and it's NOT just with Outlook, though Outlook sticks out since I usually only have that opened up.

    I have a ticket already with Microsoft, but I haven't heard from them for a few weeks and I'm not too happy with their support anyway.


    Interesting, in the pic you can also see an issue I'm having with Skype for Business right now, it won't sign in after the machine wakes from sleep. (I know this screenshot is old, I have much newer ones, but it's the same issue.)

    • Edited by Kyle7474 Thursday, September 21, 2017 1:32 PM Addon
    Thursday, September 21, 2017 1:27 PM

All replies

  • Hi Kyle,

    Is there any event logs about it? Also check the Microsoft-Windows-AAD/Operational event log, collect the Error logs for more information.

    In your scenario, the Multi-factor authentication (MFA) is enabled but the authentication window is prompted with blank window. Please access Outlook Web App in a browser, try to open this mailbox, confirm if there is any other steps for authentication.

    Also try to create a new account to logon this Windows machine. Check if the issue persists in new Windows account. 

    Additionally, I notice that you have opened a ticket with Microsoft in other channel. Would you mind to send the Case ID to us via GBSD TN Office Information Collection ibsofc@microsoft.com? Please involve the thread URL in the email message for easy follow-up. We will help you to strike the case and hope they can give more updates to you in their channel.

    Best Regards,
    Winnie Liang


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 22, 2017 10:18 AM
  • OMG! You're awesome, there are TONS of errors in Windows -> AAD -> Operational. 

    Error: 0xCAA90056 Renew token by the primary refresh token failed.
    Logged at refreshtokenrequest.cpp, line: 100, method: RefreshTokenRequest::AcquireToken.

    Request: authority: https://login.microsoftonline.com/common, client: none, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-4080526894-3737875801-2191701479-3029442028-1595523745-40875543-2485833908, resource: , correlation ID (request): 2f3f3b1b-112b-4f0e-8c97-ef4fc0ce5048

    OAuth response error: invalid_grant
    Error description: AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password
    Trace ID: cae0ae9c-e692-44b7-94fa-636a28832f00
    Correlation ID: 55792883-eb31-4db4-aaae-a3c147b20dc3
    Timestamp: 2017-09-27 15:19:24Z
    CorrelationID: 55792883-eb31-4db4-aaae-a3c147b20dc3

    And many, MANY more. 

    Wednesday, September 27, 2017 3:46 PM
  • Hi Kyle,

    We have helped to strike the engineer for your opened case. Based on your error, the issue seems to be related to the AAD token in Windows instead of the Outlook application itself.

    Please provide the errors to your case engineer for deeper analysis. Additionally, I suggest you can also open a case in AAD forum to confirm if they have any insights on it. Collect more suggestions in AAD forum to better resolve the issue:
    https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=WindowsAzureAD

    Best Regards,
    Winnie Liang


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 29, 2017 10:41 AM
  • Did you ever find out the issue?  We are seeing the same errors after updating Office.  Every time a user opens Skype they get essentially a MFA prompt which they never have before.  The MFA prompt just throws a generic error.  After a ton of digging we found the same error and even through network monitor logging we can see the aad.broker plugin process spins up and is 100% where the prompt is comming from.

    William Lee

    Thursday, May 16, 2019 8:17 PM
  • We have ADFS 2016

    We have a application group that we created per the MS documentation.

    We updated Office to the latest version

    In the Microsoft Office Application Group we had to add the following Redirect URI in the Application -> native application -> microsoft office -> Redirect URI:

    ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c (this was the fix add this bounce the service)

    along with the existing:

    msauth://com.microsoft.office.lync15/fcg80qvoM1YMKJZibjBwQcDfOno%3D

    urn:ietf:wg:oauth:2.0:oob


    William Lee

    • Proposed as answer by William Lee Friday, May 17, 2019 8:21 PM
    Friday, May 17, 2019 8:20 PM