Cant login to O365 when AD\account\logon to is enabled (ADFS)

%3CLINGO-SUB%20id%3D%22lingo-sub-388511%22%20slang%3D%22en-US%22%3ECant%20login%20to%20O365%20when%20AD%5Caccount%5Clogon%20to%20is%20enabled%20(ADFS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388511%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20we%20are%20in%20a%20Hybrid%20enviromen%20with%20adfs%20and%20Office%20365.%20So%20when%20we%20login%20to%20portal.office.com%20we%20first%20give%20our%20username%20and%20then%20are%20transfered%20to%20th%20adfs%20portal%20internally.%20This%20works%20great.%20However%20now%20we%20want%20to%20implement%20that%20users%20only%20can%20login%20to%20some%20computers.%20And%20this%20works%20for%20the%20computer%20login%20but%20from%20the%20moment%20we%20enable%20ths%20the%20users%20cant%20login%20to%20the%20o365%20portal%20on%20any%20computer.%20Is%20this%20normal%20%3F%20Is%20there%20a%20solution%20for%20this.%20Kind%20Regards%2C%20David%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-388511%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389032%22%20slang%3D%22en-US%22%3ERe%3A%20Cant%20login%20to%20O365%20when%20AD%5Caccount%5Clogon%20to%20is%20enabled%20(ADFS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389032%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20need%20to%20add%20the%20AD%20FS%20servers%20to%20the%20list.%20Those%20restrictions%20apply%20to%20any%20interactive%20or%20remote%20login%2C%20as%20detailed%20for%20example%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FQuestion-about-AD-authentication-Put-In-Context%2Fba-p%2F243113%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FQuestion-about-AD-authentication-Put-In-Context%2Fba-p%2F243113%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-388527%22%20slang%3D%22en-US%22%3ERe%3A%20Cant%20login%20to%20O365%20when%20AD%5Caccount%5Clogon%20to%20is%20enabled%20(ADFS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388527%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20only%20thing%20i%20changed.%3C%2FP%3E%3CP%3Ejust%20added%20the%202%20computers%20that%20he%20can%20logon%20to.%3C%2FP%3E%3CP%3ENo%20adfs%20or%20ad%20server%20added%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20363px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100014i64BAD4F7F48729C6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Snag_1524408f.png%22%20title%3D%22Snag_1524408f.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-388521%22%20slang%3D%22en-US%22%3ERe%3A%20Cant%20login%20to%20O365%20when%20AD%5Caccount%5Clogon%20to%20is%20enabled%20(ADFS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388521%22%20slang%3D%22en-US%22%3E%3CP%3EMind%20sharing%20the%20details%20of%20exactly%20what%20you've%20configured%3F%20And%20keep%20in%20mind%20that%20AD%20FS%20basically%20impersonates%20the%20user%20and%20logs%20him%20to%20the%20server%2C%20so%20you%20need%20to%20allow%20for%20that.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi, we are in a Hybrid enviromen with adfs and Office 365. So when we login to portal.office.com we first give our username and then are transfered to th adfs portal internally. This works great. However now we want to implement that users only can login to some computers. And this works for the computer login but from the moment we enable ths the users cant login to the o365 portal on any computer. Is this normal ? Is there a solution for this. Kind Regards, David

3 Replies

Mind sharing the details of exactly what you've configured? And keep in mind that AD FS basically impersonates the user and logs him to the server, so you need to allow for that. 

@Vasil Michev 

 

This is the only thing i changed.

just added the 2 computers that he can logon to.

No adfs or ad server added here.

 

Snag_1524408f.png

You need to add the AD FS servers to the list. Those restrictions apply to any interactive or remote login, as detailed for example here: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Question-about-AD-authenticat...