Forum Discussion
New sign-in experience for Office 365, what's it about?
Today users in our tenant began getting prompted to try a new sign-in experience for Office 365. It looks a little different, but I'm unable to find documentation about what exactly has changed, and why?
I just want to be able to answer the inevitible questions that come up. Some of our users have already checked to see if they were getting phished.
Is it just me or does the new sign-in UI just not work at all with password managers? I use 1Password and I'm not able to successfully log in the first time, there's always an error, "Sorry, but we’re having trouble signing you in. We received a bad request."
On refresh I'm kicked over to the old sign in UI to try again.
- Kelvin Xia
Microsoft
Hey Paul,
We've tested with password managers and have no known issues with them. Some password managers might fail the very first time you go through the new experience but will start working for subsequent logins.
Are you loading the sign-in page from a bookmarked URL? If so, can you please share that URL? If it's not from a bookmark, please send me a PM with a step-by-step description of what URL you load and how you use 1Password prior to the error.
The new sign-in experience is nice, and reduces the number of clicks and clacks our users need to go through to enter the system. Thank You!
Kelvin Xia Is Microsoft working on consolidating all the various sign-in experiences into a single interface? Are we going to see this experience in AAD, ADFS, etc.?
- Kelvin XiaHi Beth, thanks for the kind words.
Yes, the intention of the new sign-in experience is to consolidate the look and feels of all of Microsoft's sign-in experiences. MSA and AAD now look the same and you can make ADFS have the same look and feel by applying the following web theme:
https://github.com/Microsoft/adfsWebCustomization/tree/master/centeredUi
Ya, so we have this slick Azure AD app installed on our on-premise Sharepoint hooked up to ADFS that presents users Office 365 mail and calendar in our SP portal site. Seemless SSO using angular and adal. All they do is sign in to our ADFS login and wait for a couple of page refreshes and it all loads in. Now our users get interrupted with this?
- Kelvin XiaWe're looking at pushing out a change to hide the prompt during SSO scenarios sometime early this week. I'll update this thread when it's out. Thanks for your patience.
- Kelvin XiaWe've released a change to not show the prompt in SSO scenarios. Please let me know if you continue to see the prompt in those cases.
Bill Barnwell there's a detailed discussion on this here: https://techcommunity.microsoft.com/t5/Azure-Active-Directory/The-new-Azure-AD-sign-in-and-Keep-me-signed-in-experiences/m-p/128267#M1022
You can disable that in the Azure AD admin center if you go to the edit company branding screen and toggle "show option to remain signed in" to "no".
Really pleased to see advanced notice being given for further changes to the new sign in experience. Like today's news about the new “Keep me signed in” experience and also the changes to the multi-factor authentication screens in the Message center post. This gives us the advance notice many of us are looking for and time to get ready for these changes. It's much appreciated!
My view of the developing issue... Posted to highlight the need for better communication within MIcrosoft and between Microsoft and its customers.
The Azure AD team changed the sign-in experience used by services like Office 365 to improve and rationalize it. But things didn’t work out so well as tenants reacted badly to the way Microsoft communicated the change. Or rather, failed to communicate the change.
https://www.petri.com/azuread-sign-changes-cause-problems-office-365Are the folks that are having difficulties with Office 2010 desktop apps using ADFS?
I'm asking because I'm curious if the forced Modern Authentication issue being discussed with 2010 desktop apps is also occuring if the environment uses ADFS.
- Kelvin Xia
Hi, I'm a Program Manager on the Identity Services team that owns the new Azure AD login UI. We're still investigating the issue with Office 2010 and think we might be close to a fix.
I would like to make a quick clarification: the new experience is solely a UI update with no changes in protocol. As such, there's no change to how authentication is done in the 2010 client apps - there's no change to how modern auth is used.
Thank you Kelvin.
Just to be clear:
I know that modern auth has never been supported in Office 2010 and my client should be aware of that too. So, as long as the limited functionality it has with Office 365 more or less remains the same, their expectations should also be met.
It seems that Microsoft is trying to just keep enabling Office 2010 to fall back to older auth methods like it has in the past. If so, that is great.
We are not using ADFS. We are using Okta for SSO.
Thanks for the link Scott. Wow you know things have got bad when El Reg weighs in.
I really appreciate Alex Simons explanation, which I quoted below for convenience but I am not sure how confident I am that this won't happen again.
"Hey guys – Appreciate the feedback here. Things we did differently this time:
1.) The changes were flighted with private preview customers first.
2.) We are doing a 30+ day public preview period that allows us to get your feedback.
3.) We are running the opt in period right nowI apologize that the blog post announcing the changes did not go up earlier. The dev team surprised us by getting the changes up and running a few days earlier than planned and we had to scramble to get the blog post up as fast as possible. We will figure out how to make sure that doesn’t happen next time.
Paul, it sounds like from your tweet that you would also like us to only offer the option to opt in to you, the admin rather than to the end-users themselves. That makes sense to me – we will look into doing that going forward.
Again, thanks for the input here and I’m really sorry the blog post didn’t go up before the changes were pushed out."
Here is the announcement - The new Azure AD Signin Experience is now in Public Preview:
"You might have noticed that we’ve been rolling out the new design on Microsoft accounts over the last few weeks. Now, it’s Azure AD’s turn. Starting today, you’ll see a banner on the Azure AD sign-in page giving users the option to opt-in to see the new experience."
There is a call to action, to test custom branding, check any automation is unaffected and to update documentation and training materials! As for timescales -
"We know that this will be a disruptive change for some of you, but we believe that this sets us up for an exciting future of innovation in the sign-in space. To give you time to prepare for the change, we’ll leave the new experience as an opt-in public preview for the next few weeks. We plan to switch over to the new UI by default during the last week of September."
The wrong place for such announcements, and came after the feature started showing up in tenants :-/
Cian Allner wrote:Here is the announcement - The new Azure AD Signin Experience is now in Public Preview:
And yet here we are. Frustrating."We know that this will be a disruptive change for some of you...."
Great to see we are not alone. He is my deleted comment from the blogpost on
https://blogs.technet.microsoft.com/enterprisemobility/2017/08/02/the-new-azure-ad-signin-experience-is-now-in-public-preview/I still waiting for Premier Support to assist. I think that will be interesting.
Well we sure aren't going to updating all our users to Office 2016 between now and then.
This will just make my users even less likely to want to use Office365.
Oh well, so it can be a breaking change also, another rollback incoming...
C_the_S make sure your TAM or the O365 support guys hear your feedback loud and clear on this, hopefully one day Microsoft will finally understand that such changes need to be thoroughly TESTED and ANNOUNCED well in advance.
DaniMartMS another ping, there's definitely some useful feedback for you guys to gather from this thread!
