"There was a problem accessing the site" error from AD FS when a federated user signs in to Office 365, Azure, or Intune

Applies to: Cloud Services (Web roles/Worker roles)Azure BackupMicrosoft Intune More


When a federated user tries to sign in to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune, the user receives the following error message from Active Directory Federation Services (AD FS):
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: <GUID>
When this error occurs, the web browser’s address bar points to the on-premises AD FS endpoint at an address that resembles the following:


This issue may occur for one of the following reasons:
  • The setup of single sign-on (SSO) through AD FS wasn't completed.
  • The AD FS token-signing certificate expired.
  • The AD FS client access policy claims are set up incorrectly.
  • The relying party trust with Azure Active Directory (Azure AD) is missing or is set up incorrectly.
  • The AD FS federation proxy server is set up incorrectly or exposed incorrectly.
  • The AD FS IUSR account doesn't have the "Impersonate a client after authentication" user permission.


To resolve this issue, use the method that's appropriate for your situation.


For more information about how to troubleshoot sign-in issues for federated users, see the following Microsoft Knowledge Base articles:
  • 2530569  Troubleshoot single sign-on setup issues in Office 365, Intune, or Azure
  • 2712961  How to troubleshoot AD FS endpoint connection issues when users sign in to Office 365, Intune, or Azure  

Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.