If you are using Microsoft 365 with JumpCloud SSO in your environment and your end users are frequently being prompted to log into local Microsoft apps or services, this is likely due to a known issue from Microsoft. This can be corrected by setting a date/timestamp for those users in Entra ID either individually or by looping over a CSV. The general command set is below and should be reviewed and tested on a user to validate that it resolves the issue. You can find an example of using PowerShell to loop through your users via the example below, but this should be tested on a small group of users first in case PS module syntax has changed, etc.
Prerequisites
- A Microsoft 365 instance and the Microsoft 365 SSO Integration configured in JumpCloud.
- The .NET Framework 4.5 or above installed.
Refreshing the STS Token
- On a Microsoft Windows X86-based computer, run PowerShell as an administrator.
- Install the Microsoft.Graph Module for Windows PowerShell, if it is not already installed:
- Run Install-Module PowershellGet
- Answer Y to install the NuGet Provider
- Answer A to Answer Yes to All to install from PSGallery
- Run Install-Module Microsoft.Graph
- Modify the PowerShell execution policy:
- Set the Execution Policy to Remote Signed by running Set-ExecutionPolicy RemoteSigned
- Answer A to confirm the change to the Execution Policy.
- Enter your M365 Global Administrator credentials.
- Get your M365 Tenant ID
- Run the following commands:
Connect-MgGraph -TenantId "" -Scopes
"User.ReadWrite.All”,"Directory.Read.All"
Get-MgUser -UserId <[email protected]> -Property
UserPrincipalName, SignInSessionsValidFromDateTime,
LastPasswordChangeDateTime| select-object UserPrincipalName, SignInSessionsValidFromDateTime, LastPasswordChangeDateTime | fl
If the SignInSessionsValidFromDateTime value is blank, run the following command:
Revoke-MgUserSignInSession -UserId [email protected]
Verify the SignInSessionsValidFromDateTime has the current date and time:
Get-MgUserGet-Msoluser -UserIdPrincipalName
[email protected] -Property UserPrincipalName, SignInSessionsValidFromDateTime, LastPasswordChangeDateTime|
select-object UserPrincipalName, SignInSessionsValidFromDateTime, LastPasswordChangeDateTime | fl
Time values are in UTC.
Testing the STS Token Modification
- Run the following commands:
Get-MgUser -all -Property UserPrincipalName, AssignedLicenses, SignInSessionsValidFromDateTime| where-object
{$_.SignInSessionsValidFromDateTime -eq $Null} | select UserPrincipalName,AssignedLicenses,SignInSessionsValidFromDateTime |
Export-Csv -Path "C:\PowerShellScripts\Office365\userswithoutSIS.csv"
-notypeinformation
$NoSISUsers = Import-Csv -Path "C:\PowerShellScripts\Office365\userswithoutSIS.csv"
$NoSISUsers | ForEach-Object{Revoke-MgUserSignInSession -UserId $_."userprincipalname"}