Applies ToIdentity Management Cloud Services (Web roles/Worker roles) Azure Active Directory Microsoft Intune Azure Backup

PROBLEM

A newly federated user can't sign in to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune. The user experiences one of the following symptoms:

  • After the user enters their user ID on the login.microsoftonline.com webpage, the user ID can't be identified as a federated user by home realm discovery and the user isn't automatically redirected to sign in through single sign-on (SSO).

  • Authentication to Active Directory Federation Services (AD FS) fails, and the user receives the following forms-based authentication error message:

    The user name or password is incorrect

  • The user receives the following error message on the login.microsoftonline.com webpage:

    Sorry, but we're having trouble signing you out

CAUSE

These symptoms may occur because of a badly piloted SSO-enabled user ID. The general requirements for piloting an SSO-enabled user ID are as follows:

  • The on-premises Active Directory user account should use the federated domain name as the user principal name (UPN) suffix.

  • The user ID and the primary email address for the associated Microsoft Exchange Online mailbox do not share the same domain suffix.

  • The Azure Active Directory Sync tool must sync the on-premises Active Directory user account to a cloud-based user ID.

  • The UPN of the on-premises Active Directory user account and the cloud-based user ID must match.

Before you assume that a badly piloted SSO-enabled user ID is the cause of this issue, make sure that the following conditions are true:

  • The user isn't experiencing a common sign-in issue. For more info about how to troubleshoot common sign-in issues, see the following Microsoft Knowledge Base article:

    2412085 You can't sign in to your organizational account such as Office 365, Azure, or Intune

  • The federated domain is prepared correctly to support SSO as follows:

    • The federated domain is publicly resolvable by DNS. (This doesn't include the default "onmicrosoft.com" domain.)

    • The federated domain was prepared for SSO according to the following Microsoft websites.

      Note Domain federation conversion can take some time to propagate. You should wait two hours after you federate a domain before you assume that the domain configuration is faulty.

SOLUTION

To resolve this issue, make sure that the user account is piloted correctly as an SSO-enabled user ID. To do this, use one or more of the following methods:

Method 1: See Knowledge Base article 2615736 if users are receiving the "Sorry, but we're having trouble signing you in" error

If the user receives a "Sorry, but we're having trouble signing you in" error message, use the following Microsoft Knowledge Base article to troubleshoot the issue:

2615736 "Sorry, but we're having trouble signing you in" error when a user tries to sign in to Office 365, Azure, or Intune

Method 2: Update the UPN of the on-premises user account to use the federated domain as its suffix

Warning Changing the UPN of an Active Directory user account can have a significant effect on the on-premises Active Directory functionality for the user. We recommend that you use caution and deliberation about UPN changes.The effect potentially includes the following:

  • Remote access to on-premises resources by roaming users who log on to the operating system by using cached credentials

  • Remote access authentication technologies by using user certificates

  • Encryption technologies that are based on user certificates such as Secure MIME (SMIME), information rights management (IRM) technologies, and the Encrypting File System (EFS) feature of NTFS

  • Smart-card functionality

We strongly recommend that you pilot a single user account to have a better understanding on how updating the UPN affects user access. The info is useful to plan ahead or lessen certificate reissuance, data recovery, and any other remediation that's required to maintain accessibility to data by using these technologies.You must update the user account UPN to reflect the federated domain suffix both in the on-premises Active Directory environment and in Azure AD. To do this, follow these steps:

  1. Make sure that the federated domain is added as a UPN suffix:

    1. On the on-premises Active Directory domain controller, click Start, point to All Programs, click Administrative Tools, and then click Active Directory Domains and Trusts.

    2. Right-click the root node of Active Directory Domains and Trusts, select Properties, and then make sure that the domain name that's used for SSO is present.

    Note A non-routable domain suffix, such as domain.internal, or the domain.microsoftonline.com domain can't take advantage of SSO functionality or federated services. A non-routable domain suffix must not be used in this step.

  2. Manually update the UPN suffix of the problem user account:

    1. On the on-premises Active Directory domain controller, click Start, point to All Programs, click Administrative Tools, and then click Active Directory Users and Computers.

    2. Locate the problem user account, right-click the account, and then click Properties.

    3. On the Account tab, use the drop-down list in the upper-left corner to change the UPN suffix to the custom domain, and then click OK.

Method 3: Make sure that the user ID and the primary Simple Mail Transfer Protocol (SMTP) address of the Exchange Online mailbox have the same domain

Use on-premises Exchange management tools to set the on-premises user's primary SMTP address to the same domain of the UPN attribute that's described in Method 2. For more information, go to the following Microsoft TechNet websites:

Edit an E-Mail Address Policy Configure User and Resource Mailbox PropertiesIf Exchange isn't installed in the on-premises environment, you can manage the SMTP address value by using Active Directory Users and Computers. To do this, follow these steps:

  1. In Active Directory Users and Computers, right-click the user object, and then click Properties.

  2. On the General tab, update the E-Mail field, and then click OK.

Method 4: Set up Active Directory synchronization for the user account UPN

To make SSO work correctly, you must set up Active Directory synchronization client. For more info about how to set up Active Directory synchronization, go to the following Microsoft website:

Active Directory synchronization: RoadmapFor more info about how to force and verify synchronization, go to the following Microsoft websites:

Method 5: Troubleshoot UPN update problems for a specific user account

If the synchronization can be verified but the UPN of a piloted user ID is still not updated, the sync problem may occur for the specific user.For more info about how to troubleshoot potential problems with syncing a specific Active Directory object, see the following Microsoft Knowledge Base article:

2643629 One or more objects don't sync when using the Azure Active Directory Sync tool

Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.