Applies ToOffice Products Cloud Services (Web roles/Worker roles) Azure Active Directory Microsoft Intune Azure Backup Identity Management

INTRODUCTION

This article discusses how to troubleshoot single sign-on setup issues in a Microsoft cloud service such as Office 365, Microsoft Intune, or Microsoft Azure. Detailed implementation guidance for single sign-on (SSO) is available in the Azure Active Directory (Azure AD) Help documentation. If you encounter a problem when you set up SSO by using that guidance, you can refer to this article. It provides a roadmap to help troubleshoot common problems with each setup step.

PROCEDURE

How to troubleshoot SSO setup

Step 1: Prepare Active Directory

Setup guidance

Go to the following Microsoft website:

Prepare for single sign-on

Validation for step 1

Use the Evaluating directory synchronization setup diagnostics wizard to scan Active Directory for issues that might cause directory synchronization issues.

Troubleshoot issues with validation for step 1

  1. Note Incorrect preparation of Active Directory or failure to resolve issues that the tool identifies can result in directory synchronization problems. Follow the troubleshooting guidance that is offered by the Evaluating directory synchronization setup diagnostics wizard to correct the problems, and make sure that the diagnostics wizard runs without any errors. This prevents the following problems from occurring later in the implementation:

    • 2392130 Troubleshoot user name issues that occur for federated users when they sign in to Office 365, Azure, or Intune

    • 2001616 A user's Office 365 email address unexpectedly contains an underscore character after directory synchronization

    • 2643629 One or more objects don't sync when using the Azure Active Directory Sync tool

  2. Rerun the diagnostics wizard to check whether the issue is resolved.

Step 2: Active Directory Federation Services (AD FS) architecture

Setup guidance Go to the following Microsoft websites: Note Microsoft Support will not help customers with the execution of the setup guidance in these links.

Step 3: Azure Active Directory Module for Windows PowerShell for SSO

Setup guidance

Go to the following Microsoft website:

Install Windows PowerShell for single sign-on with AD FS

Validation for step 3

To validate the Azure Active Directory Module for Windows PowerShell for SSO, follow these steps:

  1. Run the Azure Active Directory Module for Windows PowerShell as an admin.

  2. Type the following commands, and make sure that you press Enter after you type each command:

    1. $cred=Get-Credential Note When you're prompted, type your cloud service admin credentials.

    2. Connect-MsolService -Credential $cred 

      Note This command connects you to Azure AD. You must create a context that connects you to Azure AD before you run any of the additional cmdlets that are installed by the Azure Active Directory Module for Windows PowerShell.

    3. Set-MsolAdfscontext -Computer < AD FS 2.0 primary server > 

      Notes

      • If you installed the Azure Active Directory Module for Windows PowerShell on the primary Active Directory Federation Services (AD FS) server, you don't have to run this cmdlet.

      • In this command, the placeholder <AD FS 2.0 primary server> represents the internal fully qualified domain name (FQDN) of the primary AD FS server. This command creates a context that connects you to AD FS.

    4. Get-MSOLFederationProperty -DomainName < federated domain name > 

      Note In this command, the placeholder <federated domain name> represents the domain name that was federated in the setup steps.

  3. Compare the first half (Source: AD FS Server) and last half (Source: Microsoft Office 365) of the output of the Get-MSOLFederationProperty command that you ran in step 2D. All entries except for Source and FederationServiceDisplayName should match. If they don't match, use the "Resolution" section of the following Microsoft Knowledge Base article to update the relying party trust data:2647020 "Sorry, but we're having trouble signing you in" and "80041317" or "80043431" error when a federated user tries to sign in to Office 365, Azure, or Intune

Troubleshoot issues with validation for step 3 To troubleshoot, follow these steps:

  1. Troubleshoot common validation problems by using the following Microsoft Knowledge Base articles, as appropriate for your situation:

    • 2461873 You can't open the Azure Active Directory Module for Windows PowerShell

    • 2494043You can't connect by using the Azure Active Directory Module for Windows PowerShell

    • 2587730 "The connection to <ServerName> Active Directory Federation Services 2.0 server failed" error when you use the Set-MsolADFSContext cmdlet

    • 2279117 An administrator cannot add a domain to an Office 365 account

    • Error when you run the New-MsolFederatedDomain cmdlet for the second time because domain verification fails. For more information about this scenario, see the following Knowledge Base article:

      2515404 Troubleshoot domain verification issues in Office 365

    • 2618887 "Federation service identifier specified in the AD FS 2.0 server is already in use." error when you try to set up another federated domain in Office 365, Azure, or Intune

    • Time issues cause issues with the New-MSOLFederatedDomain cmdlet or the Convert-MSOLDomainToFederated cmdlet.

  2. Rerun the validation steps to check whether the issue is resolved.

Step 4: Implement Active Directory synchronization

Setup guidance

Go to the following Microsoft websites:

Validation for step 4

To validate, follow these steps:

  1. Run the Azure Active Directory Module for Windows PowerShell as an admin.

  2. Type the following commands. Make sure that you press Enter after you type each command.

    1. $cred=Get-Credential Note When you're prompted, type your cloud service admin credentials.

    2. Connect-MsolService -Credential $cred Note This command connects you to Azure AD. You must create a context that connects you to Azure AD before you run any of the additional cmdlets that are installed by the Azure Active Directory Module for Windows PowerShell.

    3. Get-MSOLCompanyInformation

  3. Check the LastDirSyncTime value from the output of the previous commands, and make sure that it shows a synchronization after the Azure Active Directory Sync Tool was installed. Note The date and time stamp for this value is displayed in Coordinated Universal Time (Greenwich Mean Time).

  4. If LastDirSyncTime isn't updated, monitor the Application log of the server on which the Azure Active Directory Sync Tool is installed for the following event:

    • Source: Directory Synchronization

    • Event ID: 4

    • Level: Information

    This event indicates that directory synchronization finished on the server. When this happens, rerun these steps to make sure that the LastDirSyncTime value was updated appropriately.

Troubleshoot problems with validation for step 4 Troubleshoot common validation problems by using the following Microsoft Knowledge Base articles, as appropriate for your situation:

  • 2508225 "LogonUser() Failed with error code: 1789" after you enter enterprise administrator credentials in the Azure Active Directory Sync tool Configuration Wizard

  • 2502710 "An unknown error occurred with the Microsoft Online Services Sign-in Assistant" error when you run the Azure Active Directory Sync Tool Configuration Wizard

  • 2419250 "The computer must be joined to a domain" error when you try to install the Azure Active Directory Sync Tool

  • 2643629 One or more objects don't sync when using the Azure Active Directory Sync tool

  • 2641663 How to use SMTP matching to match on-premises user accounts to Office 365 user accounts for Directory Synchronization

  • 2492140 You can't assign a federated domain to a user in the Office 365 portal

Step 5: Office 365 client preparedness

Setup guidance
  1. Check client prerequisites for Office 365. For more information about the system requirements for Office 365, go to Office 365 system requirements.

  2. Run Office 365 Desktop Setup on all client computers that use rich client applications. Rich client applications include Microsoft Outlook, Microsoft Lync 2010, Microsoft Office Professional Plus 2010, Azure Active Directory Module for Windows PowerShell. Office desktop applications, and Microsoft SharePoint integration applications.

  3. If a seamless, no-prompt experience is expected for domain-joined and domain-connected client computers, add the AD FS Federation Service URL to the local intranet zone in Windows Internet Explorer. For example, do the following:

    1. In Internet Explorer, on the Tools menu, click Internet Options.

    2. Click the Security tab, click Local intranet, click Sites, and then click Advanced.

    3. Type https://sts.contoso.com in the Add this website to the zone box, and then click Add. Note "sts.contoso.com" represents the FQDN of the AD FS Federation Service.

    For more information about this configuration, see the following Microsoft Knowledge Base article:

    2535227 A federated user is prompted unexpectedly to enter their work or school account credentials

  4. If domain-joined and domain-connected client computers access Internet resources by using a proxy server that resolves Internet addresses by using public DNS queries (and not internal, split-brain DNS), add the AD FS Federation Service URL to the list for which Internet Explorer will bypass proxy filtering. The following is an example of how to add the URL to the Internet Explorer exceptions list:

    1. In Internet Explorer, on the Tools menu, click Internet Options.

    2. On the Connections tab, click LAN settings, and then click Advanced.

    3. In the Exceptions box, enter the value by using the fully qualified DNS name of the AD FS service endpoint name. For example, enter sts.contoso.com.

Validation for step 5 To validate, follow these steps:

  1. Make sure that Microsoft Online Services Sign-in Assistant service is installed and running. To do this, follow these steps:

    1. Click Start, click Run, type Services.msc, and then click OK.

    2. Locate the Microsoft Online Services Sign-in Assistant entry, and then make sure that the service is running.

    3. If the service isn't running, right-click the entry, and then select Start.

  2. Go to the AD FS MEX website to make sure that the endpoint is part of the Internet Explorer intranet security zone. To do this, follow these steps:

    1. Start Internet Explorer, and then go to the AD FS service endpoint website. The following is an example of a service endpoint website:

      https://sts.contoso.com/federationmetadata/2007-06/federationmetadata.xml

    2. Check the status bar at the bottom of the window to make sure that the security zone that's indicated for this URL is Local intranet.

Step 6: Final validation

On a configured client computer, test the expected SSO authentication experience. To do this, authenticate by using a federated user account. You may want to test authentication of a federated user in the following scenarios:

  • In the on-premises network and authenticated to the on-premises Active Directory

  • From an Internet-neutral IP location and not authenticated to the on-premises Active Directory

To validate, follow these steps:

  1. Test web authentication. To do this, use one of the following methods:

    • Sign in to the cloud service portal as a federated user by using local Active Directory credentials.

    • Sign in to Outlook Web App as a federated user (by using local Active Directory credentials) who has an Exchange Online mailbox. For example, sign in to Outlook Web App at the following URL:

      https://outlook.com/owa/contoso.comNote In this URL, "contoso.com" represents the federated domain name.

    • Sign in to Microsoft SharePoint Online as a federated user (by using local Active Directory credentials) who has access to the Team Site collection. For example, sign in to SharePoint Online at the following URL:

      http://contoso.sharepoint.comNote In this URL, "contoso" represents your organization's name.

  2. Test rich client or active requestor authentication. To do this, follow these steps:

    1. Configure a Skype for Business Online (formerly Lync Online) client profile for a federated user account, and then sign in to the account by using local Active Directory credentials.

    2. Sign in to Azure Active Directory Module for Windows PowerShell by using a federated user account that has global admin credentials through the connect-MSOLService cmdlet.

  3. Test Exchange Online basic authentication by using Microsoft Remote Connectivity Analyzer. For more information about how to use Remote Connectivity Analyzer, see the following article in the Microsoft Knowledge Base:

    2650717  How to use Remote Connectivity Analyzer to troubleshoot single sign-on issues for Office 365, Azure, or Intune

Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.