After you change Active Directory Federation Services (AD FS) service endpoint settings in the AD FS Management Console, single sign-on (SSO) authentication to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune fails, and you experience one of the following symptoms:
Federated users can't sign in to Office 365, Azure, or Intune by using rich client applications.
Browser applications repeatedly prompt users for credentials when they try to authenticate to AD FS during SSO authentication.
This issue may occur if one of the following conditions is true:
The AD FS service endpoints are inappropriately configured.
Kerberos authentication on the AD FS server is broken.
To resolve this issue, use one of the following methods, as appropriate for your situation.
Resolution 1: Restore the default AD FS service endpoint configuration
To restore AD FS default service endpoint settings, follow these steps on the primary AD FS server:
Open the AD FS Management Console, and in the left navigation pane, browse to AD FS (2.0), then Service, and then Endpoints.
Examine the endpoints list, and make sure that the entries in this list are enabled as indicated (at a minimum):
Microsoft Azure cloud services, Microsoft Azure Active Directory, Microsoft Office 365, Microsoft Intune, CRM Online via Office 365 E Plans, Microsoft Azure Recovery Services, Office 365 Identity Management