When users try to authenticate a non-browser app to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune from a specific client computer, one or more of the following issues occur:
Admins can't authenticate to the cloud service by using the following management tools:
Microsoft Azure Active Directory Sync Tool (on the directory synchronization server)
Microsoft Azure Active Directory Module for Windows PowerShell (on a computer on which it is installed)
Users can't authenticate to the cloud service by using the following rich client applications:
Microsoft Lync 2010
Microsoft Office Professional Plus
Microsoft Office applications
When users try to access the cloud service portal by using a web browser from the same computer, the users may experience one of the following symptoms:
Internet Explorer can't display the webpage.
The user is prompted for credentials before the webpage loads.
Users don't experience these symptoms when they access the cloud service from other computers by using the same user account info. Users can successfully access the cloud service from other computers.
Usually, this issue occurs on a specific client computer or on a group of client computers. This issue may occur for all client computers only if no computers at the company are set up for the cloud service. Non-browser app authentication may not be fully functional if cloud service client settings aren't implemented correctly. The following client computer scenarios may cause this issue:
Network connectivity to the cloud service is limited.
The firewall, proxy servers, or both require local authentication.
Prerequisites of the non-browser app aren't met.
An old version of the Microsoft Online Services Sign In Assistant is installed.
The non-browser app isn't set up for the cloud service.
Before you continue to troubleshoot this issue, make sure that all the following conditions are true:
The keyboard on the client computer keyboard is working correctly, and the user name and the password were entered correctly.
Non-browser app authentication doesn't fail for the same user account on other client computers. If all other computers experience the same symptoms for the same user account, this behavior likely indicates that the issue is related to the user account. For more info, see the Microsoft Knowledge Base:
2412085 You can't sign in to your organizational account such as Office 365, Azure, or Intune
Access issues aren't limited to federated users on the client computer. If only federated users experience access issues, there's likely an issue with the SSO configuration. For more info, see the following Microsoft Knowledge Base articles:
2530713 Signing in to Office 365, Azure, or Intune by using single sign-on doesn't work from some devices
2535227 A federated user is prompted unexpectedly to enter their work or school account credentials
2530569 Troubleshoot single sign-on setup issues in Office 365, Intune, or Azure
To troubleshoot this issue, use one or more of the following methods, depending on the likely cause of the issue.
Resolution 1: Network connectivity is limited
Use a browser and try to access http://www.msn.com. If you can't access this website, troubleshoot network connectivity issues.
At a command prompt, use the ipconfig and ping tools to troubleshoot IP connectivity. For more info about how to do this, see the following Microsoft Knowledge Base article:
At a command prompt, run nslookup www.msn.com to determine whether DNS is resolving Internet server names.
Make sure that the proxy server settings in Internet Options reflect the appropriate proxy server, if a proxy server is used in the local network.
If a Forefront Threat Management Gateway (TMG) firewall is installed on the boundary of the network and the firewall requires client authentication, you might have to install and configure the Forefront TMG client program on the client device for Internet access. Contact your cloud service admin for help.
Resolution 2: Firewall or proxy servers require additional authentication
To resolve this issue, configure an exception for Office 365 URLs and applications from the authentication proxy. For example, if you're running Microsoft Internet Security and Acceleration Server (ISA) 2006, create an "allow" rule that meets the following criteria:
Allow outbound connections to the following destination: *.microsoftonline.com
Allow outbound connections to the following destination: *.microsoftonline-p.com
Allow outbound connections to the following destination: *.sharepoint.com
Allow outbound connections to the following destination: *.outlook.com
Allow outbound connections to the following destination: *.lync.com
Allow outbound connections to the following destination: osub.microsoft.com
Protocols TCP and HTTPS
Rule must apply to all users.
HTTPS/SSL time-out set to 8 hours
Resolution 3: Prerequisites of the non-browser app aren't met, or the Microsoft Online Services Sign In Assistant is out of date
If certain operating systems or non-browser apps aren't updated with the appropriate prerequisites, they may be unable to access the intended services. Make sure that the computer and the applications meet the system requirements for the cloud service. For more info about Office 365 system requirements, go to the following Microsoft website:
Resolution 4: The non-browser app isn't set up for the cloud service
If profiles haven't been created for some non-browser apps, those applications will be unable to correctly access the intended services. The easiest way to make sure that applications are configured appropriately for Office 365 is to run the Office 365 Desktop Setup Tool: