Forum Discussion
Multiple federated accounts cannot login to Outlook Desktop
Environment:
- AD FS on-prem
- Exchange Online Hybrid
Client:
- Domain bound Windows 10
- Office 2016
On client machine, user is setup with his mailbox in Outlook.
User also requires to add additional mailbox in their Outlook. When we try to add another account, it does not prompt for credentials and adds the account in Outlook right away. This is happening because user is logged into machine with his AD account and AD FS uses those credentials and skips the authentication window even if we are trying to setup a new account.
How can this situation be handled and user can be allowed to setup another account in their Outlook?
- Pontus SjälanderIron Contributor
Hey!
How are you adding the new account to the current Outlook profile?
You could test to:- Check Credential Manager after saved credentials for the new account you are trying add, and clear them if there are any
- Shutdown Outlook
- Open the mail application through the control panel
- Show profiles
- Select the profile and click on properties
- Add the new account under email address
- kpsinghCopper Contributor
- ADFS IDP URL is added under Trusted sites in IE and controlled by system admin through group policy.
- ADFS IDP URL being in Trusted sites makes user to auto-login to this site using his AD Account login to PC
- Credential Manager do not have any entry for new account I'm trying to add
- I shutdown Outlook
- Opened Mail app from control panel > added email and password
- Then I see prompt of modern authentication for about 2-3 seconds and then it disappears
- Config wizard says "Congratulations! Your email account was successfully configured and is ready to use."
- I closed wizard, opened Outlook.
- Now, I continuously see modern authentication prompt appear/disappear
- Newly mailbox is collapsed and when I try to expand it, I see following message:
So, the issue still persists. I think when I try to add new account, it redirects to Microsoft modern authentication prompt. Microsoft authentication prompts figures that this domain is federated and it redirects to our ADFS for authentication. On ADFS, previous user is already signed in so based on single-sign-on concept, it uses current session and pass token to Microsoft. Now, Microsoft was expecting token for a new account but it received for the existing mailbox and hence we cannot authenticate to new account.
- Pontus SjälanderIron ContributorI see what you mean. If you create a whole new profile, and add the new account, same issue?
Just for making sure that there isn't any "local" issues with the device/office installation I would have added those accounts on a new VM that is 100% patched and see if you have the same result