- Users on client devices that should be allowed access can no longer connect to Office 365, Intune, or Azure by using a federated account. They receive the follow error message:There was a problem accessing the site. Try to browse to the site again.
- Users on client devices that shouldn't be allowed access to single sign-on (SSO) functionality can sign in to Office 365, Intune, or Azure by using a federated account.
- Click Start, point to All Programs, point to Administrator Tools, and then click AD FS 2.0 Management.
- In the left navigation pane, click AD FS (2.0, click Trust Relationships, click Relying Party Trusts, right-click Microsoft Office 365 Identity Platform, and then click Edit Claim Rule.
- On the Issuance Authorization Rules tab, remove all the entries that are listed except the Permit Access to All Users rule. To remove an entry, select it, and then click Remove Rule.
- If the Permit Access to All Users entry isn't present, and if the list is empty after you perform step 3, click Add Rule, select Permit All Users from the drop-down list, click Next, and then click Finish.
Resolution 1: Implement an AD FS federation server proxy as part of the identity federation architectureFor more info about how to implement AD FS 2.0 federation services, go to the following Microsoft website:
Resolution 2: Check the client access policyCheck that the client access policy was applied correctly. For more info, go to the following Microsoft TechNet website:
- The AD FS federation server proxy isn't used to expose the AD FS federation service to Internet devices.
- The client access policy rule was incorrectly applied to the AD FS federation server.
Article ID: 2619789 - Last Review: Dec 16, 2016 - Revision: 1