Work account not added automatically - SSO not working with ADFS

%3CLINGO-SUB%20id%3D%22lingo-sub-1211620%22%20slang%3D%22en-US%22%3ERe%3A%20Work%20account%20not%20added%20automatically%20-%20SSO%20not%20working%20with%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1211620%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20using%20AAD%20Connect%2FAD%20FS%20on%20their%20own%20does%20not%20automatically%20add%20%22work%20accounts%22.%20And%20for%20SSO%20-%20the%20redirect%20to%20AD%20FS%20is%20the%20expected%20behavior%20-%20if%20you%20want%20truly%20seamless%20experience%2C%20you%20need%20to%20use%20%22smart%20links%22%20or%20similar%20functionality%20and%20make%20sure%20that%20Windows%20Integrated%20Auth%20is%20used.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1212340%22%20slang%3D%22en-US%22%3ERe%3A%20Work%20account%20not%20added%20automatically%20-%20SSO%20not%20working%20with%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1212340%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3EI%20compared%20with%20a%20different%20customer%20who%20utilizes%20ADFS%20with%20AAD%20Connect%20and%20nothing%20else%20(as%20far%20as%20I%20know)%20and%20new%20user%20will%20have%20their%20work%20account%20added%20immediately.%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20it%20be%20possible%20and%20useful%20to%20combine%20ADFS%20with%20Seamless%20SSO%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1212920%22%20slang%3D%22en-US%22%3ERe%3A%20Work%20account%20not%20added%20automatically%20-%20SSO%20not%20working%20with%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1212920%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20not%20about%20using%20something%20else%2C%20but%20additional%20configuration%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-federated-domains%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-federated-domains%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1210945%22%20slang%3D%22en-US%22%3EWork%20account%20not%20added%20automatically%20-%20SSO%20not%20working%20with%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1210945%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20have%20a%20customer%20who%20has%20a%20synchronized%20AD.%20They%20use%20ADFS%20for%20Authentication%20and%20SSO%2C%20but%20SSO%20does%20not%20seem%20to%20work%20smoothly.%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20guess%20is%20that%20the%20employee%20think%20SSO%20is%20working%20in%20some%20cases%2C%20because%20the%20have%20saved%20cookies%20or%20have%20active%20tokens.%20Wehen%20I%20want%20to%20recreate%20the%20issue%20with%20a%20simpe%20call%20of%20portal.office.com%20I'm%20always%20redirected%20to%20the%20ADFS%20Site%20URL%20and%20I%20have%20to%20enter%20the%20password.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20checked%20the%20account%20information%20in%20the%20Windows%2010%20device%20I%20cannot%20see%20an%20added%20work%20account.%3CBR%20%2F%3E%3CBR%20%2F%3EShouldn't%20the%20Office%20365%20work%20account%20automatically%20be%20added%20here%3F%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20what%20is%20missing%20here%3F%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%2C%3C%2FP%3E%3CP%3EChristian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1210945%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

Hi there,

 

we have a customer who has a synchronized AD. They use ADFS for Authentication and SSO, but SSO does not seem to work smoothly.

My guess is that the employee think SSO is working in some cases, because the have saved cookies or have active tokens. Wehen I want to recreate the issue with a simpe call of portal.office.com I'm always redirected to the ADFS Site URL and I have to enter the password.

I checked the account information in the Windows 10 device I cannot see an added work account.

Shouldn't the Office 365 work account automatically be added here?

So what is missing here?

Kind regards,

Christian

3 Replies

Just using AAD Connect/AD FS on their own does not automatically add "work accounts". And for SSO - the redirect to AD FS is the expected behavior - if you want truly seamless experience, you need to use "smart links" or similar functionality and make sure that Windows Integrated Auth is used.

@Vasil MichevI compared with a different customer who utilizes ADFS with AAD Connect and nothing else (as far as I know) and new user will have their work account added immediately.

Would it be possible and useful to combine ADFS with Seamless SSO?