Home

ADFS SSO sign-in as different user

%3CLINGO-SUB%20id%3D%22lingo-sub-206844%22%20slang%3D%22en-US%22%3EADFS%20SSO%20sign-in%20as%20different%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-206844%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20federation%20configured%20with%20Azure%20AD%20using%20ADFS%20with%20SSO%20enabled.%20This%20is%20working%20as%20expected.%20However%2C%20one%20slight%20issue%20for%20the%20admin%20team%20who%20are%20required%20to%20sign-in%20using%20different%20privileged%20credentials%2C%20different%20from%20their%20regular%20user%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem%20is%20ADFS%20SSO%20is%20automatically%20signing-in%20the%20user%20as%20the%20account%20logged-into%20Windows.%20E.g.%20'User%20runs%20a%20PowerShell%20command%20--%26gt%3B%20Authentication%20prompt%20comes-up%20--%26gt%3B%20user%20enters%20their%20privileged%20ID%20(different%20from%20their%20regular%20account)%20--%26gt%3B%20User%20enter%20their%20password%20--%26gt%3B%26nbsp%3Buser%20sign-in%20as%20their%20regular%20account%20rather%20than%20the%20privileged%20account%20they%20used%20at%20the%20sign-in%20screen%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20workaround%20for%20this%20issue%20other%20than%20using%20a%20non-domain%20joined%20laptop%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-206844%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eadfs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESSO%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-370585%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20SSO%20sign-in%20as%20different%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-370585%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20organization%20was%20able%20to%20solve%20this%20problem%20and%20I%20documented%20the%20solution%20over%20on%20%3CA%20title%3D%22TechNet%22%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2F79c2050b-9977-4524-83a5-eb47d86e2f96%2Fbypass-adfs-sso-url-side-door-into-portalofficecom%3Fforum%3DADFS%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ETechNet%3C%2FA%3E%20(%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2F79c2050b-9977-4524-83a5-eb47d86e2f96%2Fbypass-adfs-sso-url-side-door-into-portalofficecom%3Fforum%3DADFS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2F79c2050b-9977-4524-83a5-eb47d86e2f96%2Fbypass-adfs-sso-url-side-door-into-portalofficecom%3Fforum%3DADFS%22%3C%2FA%3E)%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F289689%22%20target%3D%22_blank%22%3E%40gperkins%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-370456%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20SSO%20sign-in%20as%20different%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-370456%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F289689%22%20target%3D%22_blank%22%3E%40gperkins%3C%2FA%3E%26nbsp%3BWe%20have%20developed%20a%20solution%20to%20this%20issue.%20Please%20see%20my%20answer%20on%20the%20TechNet%20forums%20here%3A%20%3CA%20title%3D%22ADFS%20TechNet%20Forum%22%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2F79c2050b-9977-4524-83a5-eb47d86e2f96%2Fbypass-adfs-sso-url-side-door-into-portalofficecom%3Fforum%3DADFS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EADFS%20TechNet%20Forum%3C%2FA%3E%3C%2FP%3E%3CP%3E(%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2F79c2050b-9977-4524-83a5-eb47d86e2f96%2Fbypass-adfs-sso-url-side-door-into-portalofficecom%3Fforum%3DADFS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen-US%2F79c2050b-9977-4524-83a5-eb47d86e2f96%2Fbypass-adfs-sso-url-side-door-into-portalofficecom%3Fforum%3DADFS%3C%2FA%3E)%3C%2FP%3E%3CP%3EI%20hope%20that%20is%20useful.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-357277%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20SSO%20sign-in%20as%20different%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-357277%22%20slang%3D%22en-US%22%3E%3CP%3EVasil%2C%3C%2FP%3E%3CP%3EYou%20state%20%22%3CSPAN%3Eyou%20can%20disable%20WIA%2Fautologin%20by%20removing%20the%20AD%20FS%20URL%20from%20the%20local%20zone%3C%2FSPAN%3E%22%20I%20assume%20you%20mean%20using%20settings%20in%20the%20IE11%20browser%2C%20and%20the%20local%20Intranet%20zone%3F%26nbsp%3B%20These%20are%20set%20by%20group%20policy%20and%20blocked.%20So%20going%20back%20to%20Gurdev's%20question%2C%20that%20implies%20a%20non-domain%20workgroup%20computer%20which%20has%20no%20group%20policy.%20Is%20there%20no%20other%20method%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20our%20situation%2C%20we%20have%20many%20ADFS%20federated%20partner%20websites%20besides%20Office365.%20We%20want%20the%20locally%20loggedin%20non-privileged%20user%20to%20continue%20to%20have%20single%20signon%20to%20all%20those%20sites%2C%20including%20Office365.%20But%20also%20have%20the%20ability%2C%20as%20in%20Gurdev's%20question%2C%20to%20occasionally%20specify%20alternative%20credentials.%20One%20of%20the%20ADFS%20partner's%20allows%2C%20this%2C%20namely%20ServiceNow.%20They%20offer%20an%20alternate%20URL%20called%20side_door.%20That%20URL%20allows%20the%20user%20to%20specify%20a%20different%20user%20and%20password.%20Does%20Office%20365%20have%20a%20%22side%20door%22%20alternative%20URL%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-206886%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20SSO%20sign-in%20as%20different%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-206886%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20should%20be%20able%20to%20start%20PowerShell%20as%20a%20different%20user%20(shift%2Bright-click%20or%20use%20the%20runas%20cmd).%20For%20other%20programs%2C%20you%20can%20disable%20WIA%2Fautologin%20by%20removing%20the%20AD%20FS%20URL%20from%20the%20local%20zone.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Gurdev Singh
Contributor

We have federation configured with Azure AD using ADFS with SSO enabled. This is working as expected. However, one slight issue for the admin team who are required to sign-in using different privileged credentials, different from their regular user account.

 

Problem is ADFS SSO is automatically signing-in the user as the account logged-into Windows. E.g. 'User runs a PowerShell command --> Authentication prompt comes-up --> user enters their privileged ID (different from their regular account) --> User enter their password --> user sign-in as their regular account rather than the privileged account they used at the sign-in screen".

 

Is there a workaround for this issue other than using a non-domain joined laptop?

4 Replies

You should be able to start PowerShell as a different user (shift+right-click or use the runas cmd). For other programs, you can disable WIA/autologin by removing the AD FS URL from the local zone.

Vasil,

You state "you can disable WIA/autologin by removing the AD FS URL from the local zone" I assume you mean using settings in the IE11 browser, and the local Intranet zone?  These are set by group policy and blocked. So going back to Gurdev's question, that implies a non-domain workgroup computer which has no group policy. Is there no other method?

 

For example, our situation, we have many ADFS federated partner websites besides Office365. We want the locally loggedin non-privileged user to continue to have single signon to all those sites, including Office365. But also have the ability, as in Gurdev's question, to occasionally specify alternative credentials. One of the ADFS partner's allows, this, namely ServiceNow. They offer an alternate URL called side_door. That URL allows the user to specify a different user and password. Does Office 365 have a "side door" alternative URL?

@gperkins We have developed a solution to this issue. Please see my answer on the TechNet forums here: ADFS TechNet Forum

(https://social.technet.microsoft.com/Forums/en-US/79c2050b-9977-4524-83a5-eb47d86e2f96/bypass-adfs-s...)

I hope that is useful.

Our organization was able to solve this problem and I documented the solution over on TechNet ("https://social.technet.microsoft.com/Forums/en-US/79c2050b-9977-4524-83a5-eb47d86e2f96/bypass-adfs-...@gperkins 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies