Forum Discussion

Iron Contributor

Dec 06, 2017

Solved

ADFS and SSO for Exchange Online

I hope this is the right spot for this post... We have Office 365 E3 in our environment, setup using ADFS. All of our email is in Exchange Online. Because of this - when a user opens up ...

geoperkins
Mar 15, 2019
Our organization was able to solve this problem and I documented the solution over on https://social.technet.microsoft.com/Forums/en-US/79c2050b-9977-4524-83a5-eb47d86e2f96/bypass-adfs-sso-url-side-door-into-portalofficecom?forum=ADFS ("https://social.technet.microsoft.com/Forums/en-US/79c2050b-9977-4524-83a5-eb47d86e2f96/bypass-adfs-...) Stephen Bell

MVP

Dec 06, 2017

They are effectively logging in with the current windows credentials, as per the "magic" bit. Either disable the WIA auto-login in the browser options on those devices or remove the AD FS URL from the Intranet zone.

Stephen Bell
Iron Contributor
Dec 27, 2017
I think I have this done --

I removed our ADFS URL from the intranet zone, removed the internal DNS record that points to the inside of the ADFS environment. I now ping from this client and get an external IP address.

The WIA (or IWA? - I've seen it both ways??) - I went into IE on one of the clients, Security Tab --> Custom Level --> Login --> Prompt for user name and password.

Rebooted the PC 2 times and I am still getting auto login for my OWA url? What am I missing?

Thanks

Steve
Nestori Syynimaa
MVP
Dec 08, 2017
You can also alter the AD FS Claim Issuance Rules so that those devices would be treated as externals (i.e. loggin in outside your internal network). That way they would be offered a login form instead of signing in automatically.
- Stephen Bell
  Iron Contributor
  Dec 27, 2017
  I am not sure how I would do this -- do you have an example of where you can link me to?
  
  Thanks
  
  Steve
  - Stephen Bell
    Iron Contributor
    Jan 12, 2018
    Still struggling with this one. Anyone have any input?
    
    Thanks

Resources