Federated users can't connect to an Exchange Online mailbox

This issue can occur if one of the following conditions is true:

• The on-premises Active Directory Federation Services (AD FS) 2.0 federation service isn't available from the public Internet.
• The Secure Sockets Layer (SSL) certificate that's used by the AD FS 2.0 endpoint is issued by a certification authority that isn't trusted by the Exchange Online data center.

The current Exchange Online endpoint for Outlook uses Basic Authentication or Proxy Authentication. This means that Outlook clients authenticate to the Outlook.com service by using Basic Authentication. If Outlook.com determines that the user is a federated user, it proxies the Basic Authentication over SSL to the user's AD FS 2.0 server on behalf of the client. This action authenticates the user locally and requests a Security Assertion Markup Language (SAML) claim or access token for the user. If a publically available AD FS 2.0 endpoint isn't available, the authentication process isn't successful, and the user is denied access to the service endpoint.

Use Microsoft Remote Connectivity Analyzer to test whether the on-premises AD FS 2.0 federation service is causing Outlook logon problems for federated users. To do this, follow these steps:

1. In Internet Explorer, browse to https://www.testconnectivity.microsoft.com/?testid=O365Ola.
2. Type the email address and credentials, click to select the acknowledgement check box near the bottom of the page, type the verification code, and then click Perform Test. This test should be run two times. Run the test by using each of the following credentials:
   • A federated account that has a mailbox in Exchange Online
   • A standard user account that has a mailbox in Exchange Online
     
3. Check the results of both tests to determine whether AD FS 2.0 is causing the Outlook sign-in issue.
   
   a. Drill down to the following node of the Test Details tree:
   
   

   Testing RPC/HTTP connectivity
   - ExRCA is attempting to test Autodiscover for john@contoso.com
   - Attempting each method of contacting the Autodiscover service
   - Attempting to contact the Autodiscover service using the HTTP redirect method
   - Attempting to send an Autodiscover POST request to potential Autodiscover URLs
   - ExRCA is attempting to retrieve and XML Autodiscover response from URL htts://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user
     

   
   
   b. Check whether both the following conditions are true:
   • The federated account can't access Autodiscover and receives an "HTTP 401 authorized response" error message.
   • The standard user account can access Autodiscover.
   If both conditions are true, you have confirmed that SSO failures are causing Outlook authentication to fail.