How to troubleshoot non-browser apps that can’t sign in to Office 365, Azure, or Intune

PROBLEM
When users try to authenticate a non-browser app to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune from a specific client computer, one or more of the following issues occur:
  • Admins can't authenticate to the cloud service by using the following management tools:
    • Microsoft Azure Active Directory Sync Tool (on the directory synchronization server)
    • Microsoft Azure Active Directory Module for Windows PowerShell (on a computer on which it is installed)
  • Users can't authenticate to the cloud service by using the following rich client applications:
    • Microsoft Outlook
    • Microsoft Lync 2010
    • Microsoft Office Professional Plus
    • Microsoft Office applications
When users try to access the cloud service portal by using a web browser from the same computer, the users may experience one of the following symptoms:
  • Internet Explorer can't display the webpage.
  • The user is prompted for credentials before the webpage loads.
Users don't experience these symptoms when they access the cloud service from other computers by using the same user account info. Users can successfully access the cloud service from other computers.
CAUSE
Usually, this issue occurs on a specific client computer or on a group of client computers. This issue may occur for all client computers only if no computers at the company are set up for the cloud service. Non-browser app authentication may not be fully functional if cloud service client settings aren't implemented correctly. The following client computer scenarios may cause this issue:
  • Network connectivity to the cloud service is limited.
  • The firewall, proxy servers, or both require local authentication.
  • Prerequisites of the non-browser app aren't met.
  • An old version of the Microsoft Online Services Sign In Assistant is installed.
  • The non-browser app isn't set up for the cloud service.
Before you continue to troubleshoot this issue, make sure that all the following conditions are true:
  • The keyboard on the client computer keyboard is working correctly, and the user name and the password were entered correctly.
  • Non-browser app authentication doesn't fail for the same user account on other client computers. If all other computers experience the same symptoms for the same user account, this behavior likely indicates that the issue is related to the user account. For more info, see the Microsoft Knowledge Base:
    2412085 You can't sign in to your organizational account such as Office 365, Azure, or Intune
  • Access issues aren't limited to federated users on the client computer. If only federated users experience access issues, there's likely an issue with the SSO configuration. For more info, see the following Microsoft Knowledge Base articles:
    2530713 Signing in to Office 365, Azure, or Intune by using single sign-on doesn't work from some devices
    2535227 A federated user is prompted unexpectedly to enter their work or school account credentials

    2530569 Troubleshoot single sign-on setup issues in Office 365, Intune, or Azure
SOLUTION
To troubleshoot this issue, use one or more of the following methods, depending on the likely cause of the issue.

Resolution 1: Network connectivity is limited

Use a browser and try to access http://www.msn.com. If you can't access this website, troubleshoot network connectivity issues.
  1. At a command prompt, use the ipconfig and ping tools to troubleshoot IP connectivity. For more info about how to do this, see the following Microsoft Knowledge Base article:
    169790 How to troubleshoot basic TCP/IP problems
  2. At a command prompt, run nslookup www.msn.com to determine whether DNS is resolving Internet server names.
  3. Make sure that the proxy server settings in Internet Options reflect the appropriate proxy server, if a proxy server is used in the local network.
  4. If a Forefront Threat Management Gateway (TMG) firewall is installed on the boundary of the network and the firewall requires client authentication, you might have to install and configure the Forefront TMG client program on the client device for Internet access. Contact your cloud service admin for help.

Resolution 2: Firewall or proxy servers require additional authentication

To resolve this issue, configure an exception for Office 365 URLs and applications from the authentication proxy. For example, if you're running Microsoft Internet Security and Acceleration Server (ISA) 2006, create an "allow" rule that meets the following criteria:
  • Allow outbound connections to the following destination: *.microsoftonline.com
  • Allow outbound connections to the following destination: *.microsoftonline-p.com
  • Allow outbound connections to the following destination: *.sharepoint.com
  • Allow outbound connections to the following destination: *.outlook.com
  • Allow outbound connections to the following destination: *.lync.com
  • Allow outbound connections to the following destination: osub.microsoft.com
  • Ports 80/443
  • Protocols TCP and HTTPS
  • Rule must apply to all users.
  • HTTPS/SSL time-out set to 8 hours

Resolution 3: Prerequisites of the non-browser app aren't met, or the Microsoft Online Services Sign In Assistant is out of date

If certain operating systems or non-browser apps aren't updated with the appropriate prerequisites, they may be unable to access the intended services. Make sure that the computer and the applications meet the system requirements for the cloud service. For more info about Office 365 system requirements, go to the following Microsoft website: The easiest way to make sure that your computer is updated appropriately for Office 365 is to run the Office 365 Desktop Setup Tool. To do that, follow these steps:
  1. In a web browser, browse to https://portal.office.com, sign in, and then click Downloads in the right pane.
  2. Scroll to the bottom of the page. Under 3 Set up and configure your Office desktop apps, click Set up, and then confirm when you're prompted to run the Office 365 Desktop Setup Tool.
Or, you can download and manually install the required updates and packages from the following Microsoft website:

Resolution 4: The non-browser app isn't set up for the cloud service

If profiles haven't been created for some non-browser apps, those applications will be unable to correctly access the intended services. The easiest way to make sure that applications are configured appropriately for Office 365 is to run the Office 365 Desktop Setup Tool:
  1. In a web browser, browse to https://portal.office.com, sign in, and then click Downloads in the right pane.
  2. Scroll to the bottom of the page. Under 3 Set up and configure your Office desktop apps, click Set up, and then confirm when you're prompted to run the Office 365 Desktop Setup Tool.
Or, you can manually set up application profiles. For more info, see the following Microsoft website:

Resolution 5: Can’t sign in by using Office 2016 or Office 2013 with modern authentication on Surface Pro 3

This issue was fixed in Windows 10 version 1511. To resolve this issue, install all cumulative updates for Windows 10 from Windows Update. Or, at a minimum, install the cumulative update for Windows 10 that's described in the following Microsoft Knowledge Base article:
3105211 Cumulative update for Windows 10 Version 1511: November 10, 2015

If you can't install the update, follow these steps.

Important  Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration  in case problems occur.
  1. In Windows 10, in the search box on the task bar, type regedit, and then press Enter to open Registry Editor.
  2. Do one of the following, depending on the version of Office that you're running:
    • If you have Office 2016, delete the following registry key:
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity\Identities
    • If you have Office 2013, delete the following registry key:
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Identities
MORE INFORMATION
For more info about issues with specific non-browser apps, see the following Microsoft Knowledge Base articles:
2512032 You receive a "There was a problem that caused parts of the Microsoft Online Services Sign-in Assistant to be disabled" error

2566899 Issues that may prevent client programs from being configured correctly by Office 365 Desktop Setup

2630976 "Access Denied" error, or user is repeatedly prompted for credentials when trying to connect to Office 365 by using a rich client application
Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Properties

Article ID: 2637629 - Last Review: 02/25/2016 23:10:00 - Revision: 41.0

Microsoft Azure Active Directory, Microsoft Office 365, Microsoft Intune, CRM Online via Office 365 E Plans, Microsoft Azure Recovery Services, Office 365 User and Domain Management

  • o365 o365a o365e o365p o365022013 o365m KB2637629
Feedback