- After the user enters their user ID on the login.microsoftonline.com webpage, the user ID can't be identified as a federated user by home realm discovery and the user isn't automatically redirected to sign in through single sign-on (SSO).
- Authentication to Active Directory Federation Services (AD FS) fails, and the user receives the following forms-based authentication error message:The user name or password is incorrect
- The user receives the following error message on the login.microsoftonline.com webpage:Sorry, but we're having trouble signing you out
- The on-premises Active Directory user account should use the federated domain name as the user principal name (UPN) suffix.
- The user ID and the primary email address for the associated Microsoft Exchange Online mailbox do not share the same domain suffix.
- The Azure Active Directory Sync tool must sync the on-premises Active Directory user account to a cloud-based user ID.
- The UPN of the on-premises Active Directory user account and the cloud-based user ID must match.
- The user isn't experiencing a common sign-in issue. For more info about how to troubleshoot common sign-in issues, see the following Microsoft Knowledge Base article: 2412085 You can't sign in to your organizational account such as Office 365, Azure, or Intune
- The federated domain is prepared correctly to support SSO as follows:
- The federated domain is publicly resolvable by DNS. (This doesn't include the default "onmicrosoft.com" domain.)
- The federated domain was prepared for SSO according to the following Microsoft websites.Note Domain federation conversion can take some time to propagate. You should wait two hours after you federate a domain before you assume that the domain configuration is faulty.
Method 1: See Knowledge Base article 2615736 if users are receiving the "Sorry, but we're having trouble signing you in" errorIf the user receives a "Sorry, but we're having trouble signing you in" error message, use the following Microsoft Knowledge Base article to troubleshoot the issue:
Method 2: Update the UPN of the on-premises user account to use the federated domain as its suffixWarning Changing the UPN of an Active Directory user account can have a significant effect on the on-premises Active Directory functionality for the user. We recommend that you use caution and deliberation about UPN changes.
The effect potentially includes the following:
- Remote access to on-premises resources by roaming users who log on to the operating system by using cached credentials
- Remote access authentication technologies by using user certificates
- Encryption technologies that are based on user certificates such as Secure MIME (SMIME), information rights management (IRM) technologies, and the Encrypting File System (EFS) feature of NTFS
- Smart-card functionality
You must update the user account UPN to reflect the federated domain suffix both in the on-premises Active Directory environment and in Azure AD. To do this, follow these steps:
- Make sure that the federated domain is added as a UPN suffix:
- On the on-premises Active Directory domain controller, click Start, point to All Programs, click Administrative Tools, and then click Active Directory Domains and Trusts.
- Right-click the root node of Active Directory Domains and Trusts, select Properties, and then make sure that the domain name that's used for SSO is present.
- Manually update the UPN suffix of the problem user account:
- On the on-premises Active Directory domain controller, click Start, point to All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
- Locate the problem user account, right-click the account, and then click Properties.
- On the Account tab, use the drop-down list in the upper-left corner to change the UPN suffix to the custom domain, and then click OK.
Method 3: Make sure that the user ID and the primary Simple Mail Transfer Protocol (SMTP) address of the Exchange Online mailbox have the same domainUse on-premises Exchange management tools to set the on-premises user's primary SMTP address to the same domain of the UPN attribute that's described in Method 2. For more information, go to the following Microsoft TechNet websites:
- In Active Directory Users and Computers, right-click the user object, and then click Properties.
- On the General tab, update the E-Mail field, and then click OK.
Method 4: Set up Active Directory synchronization for the user account UPNTo make SSO work correctly, you must set up Active Directory synchronization client. For more info about how to set up Active Directory synchronization, go to the following Microsoft website:
Method 5: Troubleshoot UPN update problems for a specific user accountIf the synchronization can be verified but the UPN of a piloted user ID is still not updated, the sync problem may occur for the specific user.
For more info about how to troubleshoot potential problems with syncing a specific Active Directory object, see the following Microsoft Knowledge Base article:
Article ID: 2392130 - Last Review: Dec 16, 2016 - Revision: 1