If your computers have Extended Protection for Authentication, and you use the Firefox, Google Chrome, or Safari browsers, you may not be able to sign on to Microsoft 365, depending upon your operating system. Instead, you will get an access denied message. This is due to the default configuration for Active Directory Federation Services (AD FS) 2.0 and Extended Protection for Authentication.
Unless and until Firefox, Google Chrome, and Safari support Extended Protection for Authentication, the recommended option is to install and use Internet Explorer 10 or later.
If you want to use single sign-on for Microsoft 365 with Firefox, Google Chrome, or Safari, there are two other solutions:
Uninstall the Extended Protection patches from your computer.
Change the Extended Protection setting on the Active Directory Federation Services 2.0 server. See “ExtendedProtectionTokenCheck” on the TechNet Set-ADFSProperties page for details.
Note: There may be security concerns in taking either of the approaches described above. For more details, see the Microsoft Support article Microsoft Security Advisory: Extended protection for authentication.