Subscribe to Help Center RSS FeedIf you are using Microsoft 365 with SSO in your environment and your end users are frequently being prompted to log into local Microsoft apps or services, this is likely due to a known issue from MS. This can be corrected by setting a date/timestamp for those users in Entra ID either individually or by looping over a CSV. The general command set is below and should be reviewed and tested on a user to validate that it resolves the issue. You can find an example of using PowerShell to loop through your users via the example below, but this should be tested on a small group of users first in case PS module syntax has changed, etc.
Prerequisites
- A Microsoft 365 SSO instance and the Microsoft Integration configured in JumpCloud.
- The .NET Framework 4.5 or above installed.
Refreshing the STS Token
- Connect to your Microsoft Azure Active Directory Module for Windows via PowerShell.
- Run the following commands:
$UserCredential = Get-Credential
Connect-MsolService
Get-Msoluser -UserPrincipalName [email protected] | select name,Stsrefreshtokensvalidfrom,LastPasswordChangeTimestamp | fl
$RefreshTokensValidFrom = Get-Date
Set-MsolUser -UserPrincipalName [email protected] -StsRefreshTokensValidFrom $RefreshTokensValidFrom
Time values are in UTC.
Testing the STS Token Modification
- Run the following commands:
Get-msoluser -all | where-object {$_.stsrefreshtokensvalidfrom -eq $Null} | select userprincipalname,islicensed,stsrefreshtokensvalidfrom | export-csv "C:\PowerShellScripts\Office365\userswithoutSTS.csv" -notypeinformation
$RefreshTokensValidFrom = Get-Date
$NoSTSUsers = Import-Csv "C:\PowerShellScripts\Office365\userswithoutSTS.csv"
$NoSTSUsers | ForEach-Object{Set-msoluser -UserPrincipalName $_."userprincipalname" -StsRefreshTokensValidFrom $RefreshTokensValidFrom}
In this Article
Learn More