SOLVED
Home

Outlook and SSO

%3CLINGO-SUB%20id%3D%22lingo-sub-251710%22%20slang%3D%22en-US%22%3EOutlook%20and%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251710%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20an%20O365%20tennant%20with%20Azure%20AD%20being%20the%20only%20directory%20source.%26nbsp%3B%20If%20I%20join%20a%20machine%20to%20Azure%20AD%2C%20thus%20requiring%20the%20Azure%20AD%20sign-on%20to%20be%20used%20for%20login%2C%20should%20Outlook%20be%20able%20to%20sign-in%20automatically%3F%26nbsp%3B%20It%20appears%20to%20do%20this%20for%20Teams%20and%20SharePoint%20from%20what%20I%20can%20see%20however%20Outlook%20isn't%20working%20this%20way%20and%20users%20are%20prompted%20with%20AzureAD%5Cuseraccount%20for%20the%20username%20and%20to%20enter%20their%20password.%26nbsp%3B%20Does%20another%20app%20need%20to%20be%20set%20in%20Azure%20for%20SSO%20aside%20from%20the%20defaults%20which%20are%20there%3F%26nbsp%3B%20I%20believe%20it%20impacts%20Skype%20for%20Business%20as%20well%20for%20the%20original%20sign-in%20prompt%20as%20well%20as%20the%20Exchange-integrated%20prompt.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20objective%20is%20to%20ensure%20logged%20in%20users%20to%20an%20AzureAD-connected%20Windows%2010%20workstation%20are%20not%20prompted%20for%20credentials%20to%20access%20Office365%20services%20at%20a%20minimum.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20good%20reference%20document%20to%20accomplish%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDave%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-267761%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20and%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-267761%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20should%20also%20enable%20it%20for%20Skype%20for%20Business%2C%20if%20you%20haven't%20already.%20It%20is%20even%20recommended%20to%20have%20it%20enabled%20both%20for%20Exchange%20and%20Skype.%20%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3EAs%20it%20says%20in%20the%20article%2C%20Modern%20Auth%20is%20enabled%20by%20default%20for%20new%20tenants%20since%202017%20August%201.%20So%20i%20guess%20your%20tenant%20is%20older%20(like%20mine%20was).%20As%20we%20are%20using%20local%20AD%2C%20i%20also%20had%20to%20add%20SIP%20address%20for%20a%20user%20into%20ProxyAddresses%20attribute%20for%20Skype%20to%20find%20correct%20username%20automatically%2C%20but%20in%20your%20case%20this%20is%20probably%20not%20needed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-267659%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20and%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-267659%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20the%20record%2C%20modern%20authentication%20was%20set%20to%20'false'%20for%20this%20tenant%2C%20thus%20the%20issue%20I%20encountered.%26nbsp%3B%20As%20soon%20as%20I%20enabled%2C%20it%20worked%20as%20expected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252620%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20and%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252620%22%20slang%3D%22en-US%22%3E%3CP%3EVictor%2C%20I%20happened%20to%20notice%20your%20reply%20first%20due%20to%20my%20slow%20email%20reading%20today%20and%20I%20did%20notice%20that%20for%20this%20tennant%20OAuth2%20was%20set%20to%20%24false.%26nbsp%3B%20I've%20adjusted%20the%20setting%20and%20will%20test.%26nbsp%3B%20I%20knew%20it%20was%20something%20simple%20for%20starters%20and%20recall%20reading%20about%20the%20Modern%20authentication%20option...I%20simply%20didn't%20connect%20the%20dots.%26nbsp%3B%20I'll%20chime%20in%20with%20test%20results%20when%20I%20have%20them.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252462%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20and%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252462%22%20slang%3D%22en-US%22%3EDo%20you%20have%20Modern%20Authentication%20enabled%20for%20Exchange%20Online%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-gb%2Farticle%2Fenable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-gb%2Farticle%2Fenable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252460%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20and%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252460%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Dave%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20suggest%20you%20to%20refer%20the%20below%20article...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAzure-AD-Join-on-Windows-10-devices%2Fba-p%2F244005%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAzure-AD-Join-on-Windows-10-devices%2Fba-p%2F244005%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20would%20suggest%20to%20send%20a%20message%20to%20Alex%20Simons%2C%20if%20further%20questions.%20As%20according%20to%20the%20post%20SSO%20seems%20possible%20for%20Outlook%20in%20Azure%20AD%20joined%20machines.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERobin%20Nishad%3C%2FP%3E%3CP%3E--------------------%3C%2FP%3E%3CP%3ETechnical%20Consultant%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Dave Durand
New Contributor

I have an O365 tennant with Azure AD being the only directory source.  If I join a machine to Azure AD, thus requiring the Azure AD sign-on to be used for login, should Outlook be able to sign-in automatically?  It appears to do this for Teams and SharePoint from what I can see however Outlook isn't working this way and users are prompted with AzureAD\useraccount for the username and to enter their password.  Does another app need to be set in Azure for SSO aside from the defaults which are there?  I believe it impacts Skype for Business as well for the original sign-in prompt as well as the Exchange-integrated prompt.

 

The objective is to ensure logged in users to an AzureAD-connected Windows 10 workstation are not prompted for credentials to access Office365 services at a minimum.

 

Is there a good reference document to accomplish this?

 

Dave

5 Replies
Highlighted

Hi Dave

 

I would suggest you to refer the below article...

 

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Join-on-Windows-10-d...

 

And would suggest to send a message to Alex Simons, if further questions. As according to the post SSO seems possible for Outlook in Azure AD joined machines.

 

Thanks

 

Robin Nishad

--------------------

Technical Consultant

Highlighted
Solution
Highlighted

Victor, I happened to notice your reply first due to my slow email reading today and I did notice that for this tennant OAuth2 was set to $false.  I've adjusted the setting and will test.  I knew it was something simple for starters and recall reading about the Modern authentication option...I simply didn't connect the dots.  I'll chime in with test results when I have them.

Highlighted

For the record, modern authentication was set to 'false' for this tenant, thus the issue I encountered.  As soon as I enabled, it worked as expected.

Highlighted

You should also enable it for Skype for Business, if you haven't already. It is even recommended to have it enabled both for Exchange and Skype. https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-y...

As it says in the article, Modern Auth is enabled by default for new tenants since 2017 August 1. So i guess your tenant is older (like mine was). As we are using local AD, i also had to add SIP address for a user into ProxyAddresses attribute for Skype to find correct username automatically, but in your case this is probably not needed.

Related Conversations