08-03-2017 05:59 AM
Thanks for the link Scott. Wow you know things have got bad when El Reg weighs in.
I really appreciate Alex Simons explanation, which I quoted below for convenience but I am not sure how confident I am that this won't happen again.
"Hey guys – Appreciate the feedback here. Things we did differently this time:
1.) The changes were flighted with private preview customers first.
2.) We are doing a 30+ day public preview period that allows us to get your feedback.
3.) We are running the opt in period right now
I apologize that the blog post announcing the changes did not go up earlier. The dev team surprised us by getting the changes up and running a few days earlier than planned and we had to scramble to get the blog post up as fast as possible. We will figure out how to make sure that doesn’t happen next time.
Paul, it sounds like from your tweet that you would also like us to only offer the option to opt in to you, the admin rather than to the end-users themselves. That makes sense to me – we will look into doing that going forward.
Again, thanks for the input here and I’m really sorry the blog post didn’t go up before the changes were pushed out."
08-03-2017 06:43 AM
08-03-2017 06:54 AM - edited 08-03-2017 06:55 AM
I too am skeptical, but we've been hearing it for years, and Microsoft continues doing the same thing over and over and over. . .
08-03-2017 06:56 AM
Not everyone uses ADFS, we sure don't.
And for those that do, why isn't the theme ready now for this rollout?
08-03-2017 11:01 AM
So apparently Smart links do still work, the issue reported under the blog post comments was due to using outdated format.
BTW nice to see you here @SamuelD MSFT :)
08-03-2017 11:19 AM
Uh so my office 2010 users cannot open word documents anymore if they use the new sign in page. “The operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator.” Untested changes like this seriously make me think we need to stay on premise.
08-03-2017 11:21 AM
we have the same issue if you clear IE cookies it works.
agree this is frustrating but for us, the push to Office 2016 is more pressing, not sure this would make us turn away from the cloud.
08-03-2017 11:26 AM
08-03-2017 11:47 AM
08-03-2017 12:27 PM
I'm the first to admit I have a lousy sense of humor, but I thought of this today . . .
Microsoft's new motto should be:
"Deploy now, ask forgiveness later"
08-04-2017 12:46 AM
An update on the Office 2010 issue from a few hours ago, which sounds more hopeful:
"We’re actively investigating the issues with Office 2010. We believe we might be close to a fix and appreciate your patience.
Office 2010 continues to work with the existing/old UI. If your users had opted-in to the new UI, they can clear IE (not Edge) browser cookies to go back to the old UI and unblock themselves in Office 2010."
08-04-2017 02:00 AM
They have claimed that the exsiting company branding should work with the new sign-in page. but the original O365 branding is showing on our page.
08-04-2017 10:26 AM
The new sign in page shares the same branding as the "classic" UI. Any updates you make to company branding in Azure Portal will show up in both experiences.
As for ADFS, we're working on a web theme that can be applied to your servers so your ADFS login looks like the new UI.
08-04-2017 10:30 AM
08-04-2017 10:32 AM
08-04-2017 11:56 AM
I had an issue in one enviroment where clearing the browser only allowed the doc to be opened. Once it closed it seemed to invoke the new Experience in the background and hence errored. Not fully investigated but may also cache in the Office 2010 application. We will just advise users not to use it.
08-05-2017 07:11 AM
08-05-2017 07:13 AM
08-05-2017 07:41 AM
I'm pleased Microsoft is trying to work this out with you, hopefully, the traces will reveal something.
So the problem is reoccurring randomly, even when reverting to the old sign-in experience after clearing cookies?
There seem to be more customers out there with Office 2010 connecting to Office 365 than I would have thought! I can see from Microsoft's point of view, why they are changing support for just subscription clients or Office perpetual clients within mainstream support, in a few years, to simplify these sorts of support issues.
08-05-2017 07:52 AM
Yeah, I've seen it a couple of times so it seems as though even though cookies are removed it still tries to default to MA.
I was talking to my manager about this very thing. I think MS has kind of handled this badly but at the end of the day, Office 2010 is 7-year-old software. In the future, this won't matter because theoretically, anyone with an O365 License will be running the updated desktop software.
that said the main thing holding us back is the workstation refresh which I would say is a challenge for most of, if not at least a lot of large environments
08-05-2017 01:25 PM
08-06-2017 06:21 AM
@John Guy wrote:
I have also noted this change and have had no announcment in the message center.
Also documentation available and customisable areas available with branding.
It's appeared in the message center as of yesterday - New sign-in experience for Office 365 and other Microsoft services:
08-07-2017 07:16 AM
08-07-2017 12:47 PM
08-07-2017 02:10 PM
Are the folks that are having difficulties with Office 2010 desktop apps using ADFS?
I'm asking because I'm curious if the forced Modern Authentication issue being discussed with 2010 desktop apps is also occuring if the environment uses ADFS.
08-07-2017 02:46 PM
Hi, I'm a Program Manager on the Identity Services team that owns the new Azure AD login UI. We're still investigating the issue with Office 2010 and think we might be close to a fix.
I would like to make a quick clarification: the new experience is solely a UI update with no changes in protocol. As such, there's no change to how authentication is done in the 2010 client apps - there's no change to how modern auth is used.
08-07-2017 03:05 PM
Thank you Kelvin.
Just to be clear:
I know that modern auth has never been supported in Office 2010 and my client should be aware of that too. So, as long as the limited functionality it has with Office 365 more or less remains the same, their expectations should also be met.
It seems that Microsoft is trying to just keep enabling Office 2010 to fall back to older auth methods like it has in the past. If so, that is great.
08-08-2017 06:07 AM
My view of the developing issue... Posted to highlight the need for better communication within MIcrosoft and between Microsoft and its customers.
The Azure AD team changed the sign-in experience used by services like Office 365 to improve and rationalize it. But things didn’t work out so well as tenants reacted badly to the way Microsoft communicated the change. Or rather, failed to communicate the change.
08-08-2017 10:01 AM
Hey Robert - we rolled out a fix to the Office 2010 issue and users should now be unblocked.
Also, AFAIK, there are no plans to change how Office 2010 does auth. The UI might change, but not protocol.
08-08-2017 10:14 AM
Hey everyone, we rolled out a fix for the Office 2010 issue and users should be unblocked now. Thanks to Scott and Cary for the invaluable help with debugging this issue and thanks everyone for your patience.
As mentioned in an earlier reply, the new experience is solely a UI change and there's no change to protocol. Discussions about modern auth being forced in Office 2010 are inaccurate.
We're tracking one more issue: Prompts showing up asking users to pick an account which is affecting SSO and PTA for some users. This is caused by an unrelated change Office 365 pushed out at around the same time as our release. I'm tracking the fix with that team and will provide an update when I know more.
08-09-2017 12:49 AM
Any information about the fix.
I still see the 'operation cancelled due to restrictions' in our WIndows7/ Office 2010 environment. Anyone else still have issues?
Specificaly mine is when opting for the new experience again at the point of opening a document from onedrive in local word and redirect from the my-sharepoint pages as soon as I select the account I want to use the autologin box kicks in then I get the warning.
08-10-2017 02:16 AM
In our Tenant we still having the issue trying to edit office documents with office 2010.
08-10-2017 03:20 AM - edited 08-10-2017 04:42 AM
We are still seeing the same issues. Maybe we have a differnet issue. Can anyone here confirm the same symptoms?
It allows us to download the file or edit in browser, but the edit in Word option gives us an additional log in session/ credentials check, if I opt to use the new I get the error if I go back to the old I can get in fine.
If the fix is deployed it's a little worrying.
We are heavily pushing use of Onedrive over USB drives and this will cause some issues and lack of confidence if staff and students find files unable to edit in the full packages.
08-10-2017 11:02 AM
08-12-2017 11:02 AM
@Kelvin Xia the MSDN subscription page (well the new one, my.visualstudio.com) does NOT work correctly with the new sign-in experince. It ends up in a login loop.
09-19-2017 10:00 AM
Really pleased to see advanced notice being given for further changes to the new sign in experience. Like today's news about the new “Keep me signed in” experience and also the changes to the multi-factor authentication screens in the Message center post. This gives us the advance notice many of us are looking for and time to get ready for these changes. It's much appreciated!
11-17-2017 07:44 AM
Ya, so we have this slick Azure AD app installed on our on-premise Sharepoint hooked up to ADFS that presents users Office 365 mail and calendar in our SP portal site. Seemless SSO using angular and adal. All they do is sign in to our ADFS login and wait for a couple of page refreshes and it all loads in. Now our users get interrupted with this?
11-17-2017 09:08 AM
You can disable that in the Azure AD admin center if you go to the edit company branding screen and toggle "show option to remain signed in" to "no".
11-19-2017 11:28 AM
@Bill Barnwell there's a detailed discussion on this here: https://techcommunity.microsoft.com/t5/Azure-Active-Directory/The-new-Azure-AD-sign-in-and-Keep-me-s...
11-20-2017 12:21 AM
11-20-2017 11:50 PM
11-20-2017 11:56 PM
Now I'm not seeing the prompt at all, for cloud-only IDs as well. It's not disabled in the branding, and I've tried it on another tenant just to be sure.
11-21-2017 12:32 AM
OK, now it's showing again... sometimes :) I guess code is still propagating through the service...