When you try to authenticate to Office 365 by using a federated account, the authentication is unsuccessful, and one or more of the following issues occur:
At the sign-in prompt, when you try to update the Username field by using a federated user name, the browser address bar contains a URL that resembles the following example, instead of a webpage that includes a "Sign in at <AD FS endpoint name>" link:
After you sign in by using a federated account and you try to access an Office 365 resource, such as the Office 365 portal, Outlook Web App, SharePoint Online, or Lync Online, you get the following error message:
If these issues only occur for some user accounts, this indicates that those user accounts are likely set up incorrectly in the on-premises Active Directory environment. In this scenario, one or more of the following items may be set up incorrectly:
The wrong user principal name (UPN) and password are being used.
The UPN isn't updated for user accounts.
In this case, the UPN suffix for each identity-federated account must be updated to reflect the federated domain name. To verify a user account UPN, follow these steps:
On the local Active Directory domain controller, click Start, point to All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
Right-click the user account that you want to change, and then click Properties.
On the Account tab, make sure that the UPN suffix of the federated namespace is listed in the list in the upper-left corner, and then click OK.
Office 365 user account isn't licensed for the Office 365 resource
Access to Office 365 resources for which the user account doesn't have a license is restricted. To check the license status for a user account, follow these steps:
When a subdomain, such as subdomain.contoso.com, is added to the Office 365 portal before its parent domain, for example contoso.com, the subdomain automatically inherits the parent domain’s federation status. To determine the inheritance status, follow these steps:
) by using an Office 365 admin user account. You can use a managed account if this is required.
Click Admin, and then in the left navigation pane, click Domains.
In the list of domains, locate the federated subdomain name, and then determine whether the Domain type setting is set to Single Sign-On.
Repeat step 1 to step 3 for the parent domain. If the Domain type setting differs from the subdomain setting, the subdomain has been orphaned from its parent.
Directory synchronization issues are preventing proper user account configuration on-premises from syncing to Windows Azure AD.
Single sign-on (SSO) relies on identical user accounts being represented in both the on-premises Active Directory and in Windows Azure AD. Directory synchronization is responsible for making sure that the same Office 365 user account is created for each on-premises user account. Sign in may fail when directory synchronization doesn't sync correct account settings from the on-premises Active Directory to Windows Azure AD.