Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Multiple federated accounts cannot login to Outlook Desktop

Copper Contributor

Environment:

  • AD FS on-prem
  • Exchange Online Hybrid

Client:

  • Domain bound Windows 10
  • Office 2016

 

On client machine, user is setup with his mailbox in Outlook.

User also requires to add additional mailbox in their Outlook. When we try to add another account, it does not prompt for credentials and adds the account in Outlook right away. This is happening because user is logged into machine with his AD account and AD FS uses those credentials and skips the authentication window even if we are trying to setup a new account.

 

How can this situation be handled and user can be allowed to setup another account in their Outlook?

6 Replies

Hey!
How are you adding the new account to the current Outlook profile?
You could test to:

  1. Check Credential Manager after saved credentials for the new account you are trying add, and clear them if there are any
  2. Shutdown Outlook
  3. Open the mail application through the control panel
  4. Show profiles
  5. Select the profile and click on properties
  6. Add the new account under email address

@Pontus Själander 

 

  • ADFS IDP URL is added under Trusted sites in IE and controlled by system admin through group policy. 
  • ADFS IDP URL being in Trusted sites makes user to auto-login to this site using his AD Account login to PC
  • Credential Manager do not have any entry for new account I'm trying to add
  • I shutdown Outlook
  • Opened Mail app from control panel > added email and password
  • Then I see prompt of modern authentication for about 2-3 seconds and then it disappears
  • Config wizard says "Congratulations! Your email account was successfully configured and is ready to use."
  • I closed wizard, opened Outlook.
  • Now, I continuously see modern authentication prompt appear/disappear
  • Newly mailbox is collapsed and when I try to expand it, I see following message:

Screenshot 2020-12-10 151917.png

 

So, the issue still persists. I think when I try to add new account, it redirects to Microsoft modern authentication prompt. Microsoft authentication prompts figures that this domain is federated and it redirects to our ADFS for authentication. On ADFS, previous user is already signed in so based on single-sign-on concept, it uses current session and pass token to Microsoft. Now, Microsoft was expecting token for a new account but it received for the existing mailbox and hence we cannot authenticate to new account.

I see what you mean. If you create a whole new profile, and add the new account, same issue?
Just for making sure that there isn't any "local" issues with the device/office installation I would have added those accounts on a new VM that is 100% patched and see if you have the same result

@Pontus Själander 

 

Same issue with fresh new profile as well.

There is no local issue on machine. This is a citrix environment and we have tested this on 2 different citrix machines as well and behavior is same everywhere.

Alright, that's good!
Next step for me, would be to do exactly the same thing on another user, just for trying to locate the issue. Might be some old attributes/autodiscover functions that is causing the issue on one of those specific accounts you are currently working with