Forum Discussion

Thomas Bak's avatar
Thomas Bak
Brass Contributor
Sep 28, 2016

SharePoint Online auto-acceleration

Has anyone enabled auto-acceleration in their SPO tenant?

 

I'm mainly responsible for SharePoint so IT owns the overall responsibility for our tenant and are careful about enabling this due to the following comment on Technet (Set-SPOTenant):

If your company has multiple third-party identity providers, configuring the sign-in acceleration value will break sign-in for your organization.

 

There's also no clear way of disabling it again but I found a blog post stating that you had to set the domain value in the powershell command to a blank space to disable it.

 

Has anyone experienced any issues with auto-acceleration?

  • Hi Thomas,

    I actually helped build and design this feature so I should be able to answer any questions you might have. Setting the auto-acceleration domain to a space should de-activate the feature.

    The case you mention is when a company has multiple identity providers (such as ADFS) for their users. The common case we see for this is when a company has an IdP for different regions. For example, perhaps Microsoft employees in the US authenticate at Microsoft.com while UK employees authenticate at Microsoft.uk. Because we can only send one domain hint to AAD, acceleration can only take one of these values. If you were to enter Microsoft.com as your auto-acceleration value, UK employees would be directed to Microsoft.com with no clear way to get to their normal authentication path.

    Hope that helps!

    Stephen Rice
  • Hi Thomas,

    I actually helped build and design this feature so I should be able to answer any questions you might have. Setting the auto-acceleration domain to a space should de-activate the feature.

    The case you mention is when a company has multiple identity providers (such as ADFS) for their users. The common case we see for this is when a company has an IdP for different regions. For example, perhaps Microsoft employees in the US authenticate at Microsoft.com while UK employees authenticate at Microsoft.uk. Because we can only send one domain hint to AAD, acceleration can only take one of these values. If you were to enter Microsoft.com as your auto-acceleration value, UK employees would be directed to Microsoft.com with no clear way to get to their normal authentication path.

    Hope that helps!

    Stephen Rice
    • Thomas Bak's avatar
      Thomas Bak
      Brass Contributor

      Thanks Stephen, I think that clears it up for me.

      I'm pretty confident that we should be able to set the auto-acceleration based on that information.

       

      Can you tell me how fast this setting kicks in, e.g. is it immediate when accessing a site in our domain or should we expect a slight delay? And de-activation will have the same timeframe?

      • Chris Moore's avatar
        Chris Moore
        Copper Contributor

        When we enabled this, it was fairly quick to take effect; I would also imagine disabling would be the same.

         

        We are encountering some side-effects since enabling it however; working on 3rd party SharePoint Online extranet sites at the same time as working on internal SPO sites (i.e. in different browser tabs) is hiking up some odd behaviours with page loading and form saving, effectively looking like the user is no longer authenticated.

         

        I've logged an SR for this, so will see how it proceeds.

Resources