Article ID: 2619789 - View products that this article applies to.
Expand all | Collapse all

PROBLEM

After you apply an Active Directory Federation Services (AD FS) client access policy, federated users experience one of the following symptoms when they try to access Office 365, Windows Intune, or Windows Azure:
  • Users on client devices that should be allowed access can no longer connect to Office 365, Windows Intune, or Windows Azure by using a federated account. They receive the follow error message:
    There was a problem accessing the site. Try to browse to the site again.
  • Users on client devices that shouldn't be allowed access to single sign-on (SSO) functionality can sign in to Office 365, Windows Intune, or Windows Azure by using a federated account.

SOLUTION

To work around this issue, remove the client access policy from the AD FS federation server on the primary node in the AD FS federation server farm. To do this, follow these steps:
  1. Click Start, point to All Programs, point to Administrator Tools, and then click AD FS 2.0 Management.
  2. In the left navigation pane, click AD FS (2.0, click Trust Relationships, click Relying Party Trusts, right-click Microsoft Office 365 Identity Platform, and then click Edit Claim Rule.
  3. On the Issuance Authorization Rules tab, remove all the entries that are listed except the Permit Access to All Users rule. To remove an entry, select it, and then click Remove Rule.
  4. If the Permit Access to All Users entry isn't present, and if the list is empty after you perform step 3, click Add Rule, select Permit All Users from the drop-down list, click Next, and then click Finish.
After you follow these steps, test federated user access to make sure that the default AD FS behavior to allow all client connections is restored.

Resolution 1: Implement an AD FS federation server proxy as part of the identity federation architecture

For more info about how to implement AD FS 2.0 federation services, go to the following Microsoft website:
Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on

Resolution 2: Check the client access policy

Check that the client access policy was applied correctly. For more info, go to the following Microsoft TechNet website:
Limiting Access to Office 365 Services Based on the Location of the Client
For help in setting up client access policy rules in AD FS SSO, contact Office 365 technical support.

MORE INFORMATION

This issue may occur if one of the following conditions is true:

  • The AD FS federation server proxy isn't used to expose the AD FS federation service to Internet devices.
  • The client access policy rule was incorrectly applied to the AD FS federation server.

Still need help? Go to the Office 365 Community website or the Windows Azure Active Directory Forums website.

Properties

Article ID: 2619789 - Last Review: March 4, 2014 - Revision: 12.0
Applies to
  • Windows Azure
  • Microsoft Office 365
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • CRM Online via Office 365 E Plans
  • Windows Azure Recovery Services
Keywords: 
o365 o365e o365a o365m o365062011 pre-upgrade o365022013 after upgrade KB2619789

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com