ADFS Behavior

%3CLINGO-SUB%20id%3D%22lingo-sub-2716266%22%20slang%3D%22en-US%22%3EADFS%20Behavior%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2716266%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Experts%2C%3C%2FP%3E%3CP%3EI%20want%20to%20know%2Fconfirm%20some%20working%20behavior.%3C%2FP%3E%3CP%3EIf%20I%20setup%20Microsoft%20ADFS%20in%20my%20environment%20with%20its%20all%20parameters%20so%20can%20my%20user%20inside%20organization%20will%20not%20prompt%20for%20password%20%3F%20for%20example%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20am%20inside%20my%20company%20and%20authenticate%20with%20my%20local%20Active%20directory%2F%20domain%20controller%20for%20my%20laptop%20and%20tried%20to%20open%20%3CA%20href%3D%22http%3A%2F%2Foutlook.office365.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttp%3A%2F%2Foutlook.office365.com%3C%2FA%3E%26nbsp%3Bso%20i%20just%20need%20to%20enter%20my%20user%20account%20%3CA%20href%3D%22mailto%3Aosama.mansoor%40xcyz.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eosama.mansoor%40xcyz.com%3C%2FA%3E%26nbsp%3Band%20then%20it%20will%20directly%20land%20me%20on%20Office365%20portal%20page.%20Please%20correct%20me.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20enabled%20MFA%20so%20in%20that%20case%20MFA%20access%20will%20be%20prompt.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20if%20i%20open%20%3CA%20href%3D%22http%3A%2F%2Foutlook.office365.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttp%3A%2F%2Foutlook.office365.com%3C%2FA%3E%26nbsp%3Boutside%20my%20organization%20then%20ADFS%20page%20will%20appear%20and%20i%20need%20to%20enter%20user%20name%20and%20password%20or%20if%20i%20have%20enabled%20MFA%20so%20it%20will%20ask%20for%20MFA.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2716266%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2717902%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Behavior%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2717902%22%20slang%3D%22en-US%22%3EYes%2C%20with%20some%20nuances.%20Read%20here%20for%20detailed%20info%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fblogs%2Fabizerh%2Fmore-information-about-sso-experience-when-authenticating-via-adfs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fblogs%2Fabizerh%2Fmore-information-about-sso-experience-when-authenticating-via-adfs%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2727094%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20Behavior%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2727094%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1098776%22%20target%3D%22_blank%22%3E%40aliat_IMANAMI%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20the%20response.%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20clear%20me%20again%20after%20adopting%20ADFS%20Microsoft%20Team%20%2F%20One%20Drive%20will%20no%20longer%20prompt%20for%20Password%20update%20after%20changing%20Active%20Directory%20Password%20(Which%20is%20synced%20with%20Office%20365%20through%20AD%20Sync)%20%3F%3C%2FLINGO-BODY%3E
Contributor

Hi Experts,

I want to know/confirm some working behavior.

If I setup Microsoft ADFS in my environment with its all parameters so can my user inside organization will not prompt for password ? for example 

 

If I am inside my company and authenticate with my local Active directory/ domain controller for my laptop and tried to open http://outlook.office365.com so i just need to enter my user account osama.mansoor@xcyz.com and then it will directly land me on Office365 portal page. Please correct me.

 

If I enabled MFA so in that case MFA access will be prompt.

 

However if i open http://outlook.office365.com outside my organization then ADFS page will appear and i need to enter user name and password or if i have enabled MFA so it will ask for MFA. 

 

6 Replies

@osamamansoor 

 

Yes, for intranet it can be done by using Windows integrated Authentication enabled in ADFS and in the browser i.e Internet Explorer to avoid being prompted for credentials. Windows integrated authentication can be set for Mozilla Firefox and Chrome also via ADFS power shell command-lets.
The ADFS URL should be added to the IE > Security >Intranet zones > sites. This is done because IE > security > Local Intranet > Security Settings > user authentication – logon is configured to use the logged in credentials for Intranet sites.
Ensure that IE > advanced > 'Enable Integrated Windows Authentication' is checked.
 
When accessing applications from outside the organization, Form-Based Authentication is being used, because Windows Integrated Authentication can't be used. Mostly for the authentication for the apps both, inside or outside the organization, ADFS can be set for both Windows Integrated Authentication and Form-Based Authentication and users can be presented with both options inside the intranet.
@aliat_IMANAMI.

Thanks for the response.

Just clear me again after adopting ADFS Microsoft Team / One Drive will no longer prompt for Password update after changing Active Directory Password (Which is synced with Office 365 through AD Sync) ?
Teams online and One drive online will not ask you for password change, as they are being synced but Teams client and OneDrive client will ask you for credentials again as they are clients. For OneDrive you may have to go to Credentials Manager and remove the old credentials and then may sync again for updated changes.
Thanks for your response.
I am using Microsoft Team App (Desktop Version) and One Drive (Sync Client) so they will Prompt for the password after changing AD although we deployed ADFS ?

@osamamansoor 

 

I checked and came to a conclusion that you will not be prompted for the password in Teams/OneDrive/Outlook client when ADFS is configured.

 

My previous thought was Client so they may save cached credentials and will try to log in with those or have a different method for authentication, but it is only matter of password sync time to AAD.

 

I actually checked it for within intranet and outside too, both works same ways. My laptop was connected to internet and it was asking for new credentials, even before it was letting me login with cached credentials, but once i am logged in, my all apps used the same credentials automatically.