Home

portal.office.com does not seamless single sign on

%3CLINGO-SUB%20id%3D%22lingo-sub-185044%22%20slang%3D%22en-US%22%3Eportal.office.com%20does%20not%20seamless%20single%20sign%20on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185044%22%20slang%3D%22en-US%22%3E%3CP%3EAm%20i%20missing%20something%20here%3F%20I%20configured%20seamless%20single%20sign%20on%20and%20pass%20through%20auth%20and%20everything%20is%20working%20great%2C%20except%20for%20portal.office.com.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20site%20excluded%20from%20automatically%20being%20signed%20it%3F%20If%20i%20go%20to%20outlook.office.com%20or%20any%20other%20direct%20Office%20365%20site%2C%20no%20issues!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20repeat%20this%20across%20multiple%20tenants%20and%20configurations%20and%20labs.%20I%20would%20love%20to%20see%20if%20others%20are%20getting%20this%20experience%20too%20or%20if%20Microsoft%20is%20excluding%20this%20site%20on%20purpose.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-185044%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E3SO%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eportal.office.com%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPTA%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eseamless%20single%20sign%20on%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESSO%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-185991%22%20slang%3D%22en-US%22%3ERe%3A%20portal.office.com%20does%20not%20seamless%20single%20sign%20on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185991%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20users%20on%20network%20go%20to%20portal.office.com%20from%20IE%20or%20Chrome%20while%20on%20network%20-%20they%20are%20getting%20prompted%20to%20click%20their%20name.%20We%20are%20not%20using%20MFA%20or%202FA%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-185264%22%20slang%3D%22en-US%22%3ERe%3A%20portal.office.com%20does%20not%20seamless%20single%20sign%20on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185264%22%20slang%3D%22en-US%22%3E%3CP%3ESo%2C%20make%20sure%20you%20do%20this%20in%20IE%20initially.%20Chrome%20will%20prompt%20the%20first%20time%20for%20user%20login%20but%20no%20password%20and%20then%20going%20forward%20shouldn't%20ask%20as%20long%20as%20you%20don't%20have%20another%20account%20saved.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%2C%20One%20thing%20I%20think%20you%20need%20is%20your%20internet%20zone%20for%20the%20portal%20page.%20Try%20changing%20or%20making%20sure%20you%20have%20auto%20login%20with%20domain%20creds%20set.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20421px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F32673iEB8AA4C787F1094F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.JPG%22%20title%3D%22Capture.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThis%20might%20be%20able%20to%20be%20tweaked%20to%20another%20zone%20by%20assigning%20portal.office.com%20if%20you%20don't%20like%20it%20here%2C%20but%20for%20testing%20purposes%20see%20if%20that's%20set.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20your%20experience%20currently%20when%20you%20hit%20portal.office.com%20in%20IE%3F%20Just%20a%20login%20box%20everytime%3F%20Are%20you%20using%202%20factor%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-185200%22%20slang%3D%22en-US%22%3ERe%3A%20portal.office.com%20does%20not%20seamless%20single%20sign%20on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185200%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20-%20Domain%20UPN%20matched%20primary%20smtp%20address.%20I%20feel%20like%20i%20have%20double%20checked%20everything.%20Would%20you%20be%20able%20to%20provide%20me%20the%20list%20of%20Microsoft%20Sites%20that%20you%20have%20published%20to%20the%20Intranet%20and%2For%20Trusted%20zones%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-185096%22%20slang%3D%22en-US%22%3ERe%3A%20portal.office.com%20does%20not%20seamless%20single%20sign%20on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185096%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20%22seamless%22%20part%20of%20Seamless%20SSO%20is%20a%20bit%20of%20a%20false%20advertising.%20Granted%2C%20things%20have%20gotten%20way%20better%20since%20the%20feature%20was%20initially%20rolled%20out%2C%20but%20it%20doesn't%20change%20the%20fact%20that%20Seamless%20SSO%20is%20possible%20for%20*some*%20apps%20only.%20Namely%2C%20those%20are%20applications%20that%20pass%20the%20domain_hint%20or%20similar%20parameters%20in%20the%20login%20request%2C%20which%20is%20used%20to%20bypass%20the%20HRD%20process.%20Other%20applications%20can%20be%20accessed%20via%20tenant-specific%20URLs%2C%20which%20also%20bypasses%20the%20HRD%20process%20and%20results%20in%20Seamless%20SSO.%20This%20is%20explained%20for%20example%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso-faq%23what-applications-take-advantage-of-domainhint-or-loginhint-parameter-capability-of-seamless-sso%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso-faq%23what-applications-take-advantage-of-domainhint-or-loginhint-parameter-capability-of-seamless-sso%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOr%20in%20more%20detail%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso-how-it-works%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso-how-it-works%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20situation%20is%20akin%20to%20what%20we%20have%20with%20AD%20FS%2C%20the%20%22seamless%22%20part%20there%20also%20works%20when%20bypassing%20the%20HRD%20is%20possible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-185064%22%20slang%3D%22en-US%22%3ERe%3A%20portal.office.com%20does%20not%20seamless%20single%20sign%20on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185064%22%20slang%3D%22en-US%22%3EDoes%20your%20local%20Domain%20UPN%20match%20the%20Office%20365%20UPN%3F%3CBR%20%2F%3EDomain%20joined%20machine%20or%20azure%20joined%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-185061%22%20slang%3D%22en-US%22%3ERe%3A%20portal.office.com%20does%20not%20seamless%20single%20sign%20on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185061%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20all%20of%20the%20Microsoft%20recommended%20sites%20in%20the%20local%20intranet%20zone.%20Still%20no%20luck.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-185060%22%20slang%3D%22en-US%22%3ERe%3A%20portal.office.com%20does%20not%20seamless%20single%20sign%20on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185060%22%20slang%3D%22en-US%22%3E%3CP%3ENope%2C%20my%20portal.office.com%20logs%20right%20in%20without%20having%20to%20enter%20anything.%20Works%20even%20better%20when%20joined%20to%20azureAD%2C%20but%20it%20works%20on%20just%20local%20domain%20machines%20as%20well.%20Don't%20forget%20to%20add%20in%20your%20trusted%20sites%20from%20the%20article.%20Also%20I%20have%20windows%2010%20machines%20setup%20with%20the%20work%20account.%20But%20it%20works%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EP.S.%20I%20don't%20use%20pass-thru%20auth%2C%20I%20use%20password%20sync%20only.%20But%20pretty%20sure%20it%20doesn't%20affect%20SSO%20cause%20my%20test%20domain%20was%20pass-thru.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Tom Gould
Contributor

Am i missing something here? I configured seamless single sign on and pass through auth and everything is working great, except for portal.office.com. 

 

Is this site excluded from automatically being signed it? If i go to outlook.office.com or any other direct Office 365 site, no issues!

 

I can repeat this across multiple tenants and configurations and labs. I would love to see if others are getting this experience too or if Microsoft is excluding this site on purpose.

7 Replies

Nope, my portal.office.com logs right in without having to enter anything. Works even better when joined to azureAD, but it works on just local domain machines as well. Don't forget to add in your trusted sites from the article. Also I have windows 10 machines setup with the work account. But it works well.

 

P.S. I don't use pass-thru auth, I use password sync only. But pretty sure it doesn't affect SSO cause my test domain was pass-thru. 

I have all of the Microsoft recommended sites in the local intranet zone. Still no luck. 

Does your local Domain UPN match the Office 365 UPN?
Domain joined machine or azure joined?

The "seamless" part of Seamless SSO is a bit of a false advertising. Granted, things have gotten way better since the feature was initially rolled out, but it doesn't change the fact that Seamless SSO is possible for *some* apps only. Namely, those are applications that pass the domain_hint or similar parameters in the login request, which is used to bypass the HRD process. Other applications can be accessed via tenant-specific URLs, which also bypasses the HRD process and results in Seamless SSO. This is explained for example here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-faq#...

 

Or in more detail here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-how-...

 

The situation is akin to what we have with AD FS, the "seamless" part there also works when bypassing the HRD is possible.

Yes - Domain UPN matched primary smtp address. I feel like i have double checked everything. Would you be able to provide me the list of Microsoft Sites that you have published to the Intranet and/or Trusted zones?

So, make sure you do this in IE initially. Chrome will prompt the first time for user login but no password and then going forward shouldn't ask as long as you don't have another account saved. 

 

Anyway, One thing I think you need is your internet zone for the portal page. Try changing or making sure you have auto login with domain creds set. 

Capture.JPG

This might be able to be tweaked to another zone by assigning portal.office.com if you don't like it here, but for testing purposes see if that's set. 

 

What is your experience currently when you hit portal.office.com in IE? Just a login box everytime? Are you using 2 factor? 

When users on network go to portal.office.com from IE or Chrome while on network - they are getting prompted to click their name. We are not using MFA or 2FA

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies