Home

Cant login to O365 when AD\account\logon to is enabled (ADFS)

%3CLINGO-SUB%20id%3D%22lingo-sub-388511%22%20slang%3D%22en-US%22%3ECant%20login%20to%20O365%20when%20AD%5Caccount%5Clogon%20to%20is%20enabled%20(ADFS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388511%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20we%20are%20in%20a%20Hybrid%20enviromen%20with%20adfs%20and%20Office%20365.%20So%20when%20we%20login%20to%20portal.office.com%20we%20first%20give%20our%20username%20and%20then%20are%20transfered%20to%20th%20adfs%20portal%20internally.%20This%20works%20great.%20However%20now%20we%20want%20to%20implement%20that%20users%20only%20can%20login%20to%20some%20computers.%20And%20this%20works%20for%20the%20computer%20login%20but%20from%20the%20moment%20we%20enable%20ths%20the%20users%20cant%20login%20to%20the%20o365%20portal%20on%20any%20computer.%20Is%20this%20normal%20%3F%20Is%20there%20a%20solution%20for%20this.%20Kind%20Regards%2C%20David%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-388511%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389032%22%20slang%3D%22en-US%22%3ERe%3A%20Cant%20login%20to%20O365%20when%20AD%5Caccount%5Clogon%20to%20is%20enabled%20(ADFS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389032%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20need%20to%20add%20the%20AD%20FS%20servers%20to%20the%20list.%20Those%20restrictions%20apply%20to%20any%20interactive%20or%20remote%20login%2C%20as%20detailed%20for%20example%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FQuestion-about-AD-authentication-Put-In-Context%2Fba-p%2F243113%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FQuestion-about-AD-authentication-Put-In-Context%2Fba-p%2F243113%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-388527%22%20slang%3D%22en-US%22%3ERe%3A%20Cant%20login%20to%20O365%20when%20AD%5Caccount%5Clogon%20to%20is%20enabled%20(ADFS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388527%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20only%20thing%20i%20changed.%3C%2FP%3E%3CP%3Ejust%20added%20the%202%20computers%20that%20he%20can%20logon%20to.%3C%2FP%3E%3CP%3ENo%20adfs%20or%20ad%20server%20added%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20363px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100014i64BAD4F7F48729C6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Snag_1524408f.png%22%20title%3D%22Snag_1524408f.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-388521%22%20slang%3D%22en-US%22%3ERe%3A%20Cant%20login%20to%20O365%20when%20AD%5Caccount%5Clogon%20to%20is%20enabled%20(ADFS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388521%22%20slang%3D%22en-US%22%3E%3CP%3EMind%20sharing%20the%20details%20of%20exactly%20what%20you've%20configured%3F%20And%20keep%20in%20mind%20that%20AD%20FS%20basically%20impersonates%20the%20user%20and%20logs%20him%20to%20the%20server%2C%20so%20you%20need%20to%20allow%20for%20that.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
David Lambrecht
Contributor

Hi, we are in a Hybrid enviromen with adfs and Office 365. So when we login to portal.office.com we first give our username and then are transfered to th adfs portal internally. This works great. However now we want to implement that users only can login to some computers. And this works for the computer login but from the moment we enable ths the users cant login to the o365 portal on any computer. Is this normal ? Is there a solution for this. Kind Regards, David

3 Replies

Mind sharing the details of exactly what you've configured? And keep in mind that AD FS basically impersonates the user and logs him to the server, so you need to allow for that. 

@Vasil Michev 

 

This is the only thing i changed.

just added the 2 computers that he can logon to.

No adfs or ad server added here.

 

Snag_1524408f.png

You need to add the AD FS servers to the list. Those restrictions apply to any interactive or remote login, as detailed for example here: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Question-about-AD-authenticat...

Related Conversations
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies
Remove redirection login teams to an STS
Eric Bridié in Microsoft Teams on
7 Replies
Azure Files with adfs
Stephane KLOIS in Azure on
0 Replies
Urgent - Teams and Yealink
reditguy in Microsoft Teams on
4 Replies
Restoring deleted "Files" folder
Daniel Carp in Microsoft Teams on
15 Replies