none
Windows 10 1809, O365 Hybrid, ADFS 3.0 (2012 R2), Office 365 ProPlus (2016) - Identites and Confusion RRS feed

  • Question

  • Hey team! Reposting into an Office forum.

    I am currently struggling to understand my environment, and keep up with all the authentication changes going on in O365 and Azure AD.

    Recently I've noticed users getting a prompt after authenticating, to basically add their work account to Windows 10. It then appears under Settings > Accounts > Email & app accounts, as well as Settings > Accounts > Access work or school. It would show 'Connected to *** AD domain' which is normal due to our AD domain, and the new entry 'Work or school account'.

    Where has this entry come from? How is it used?

    So far removing this entry from Windows 10 seems to help Outlook with authenticating.

    My environment:

    Internal AD Domain. Let's call it contoso.com.au.

    ADFS 3.0 in use. Internal DNS pointing to ADFS server. External DNS pointing to ADFS Proxy server.

    Office 365 in use, AAD, Exchange Hybrid, AAD Connect syncing records. @contoso.mail.onmicrosoft.com

    Windows devices joined to internal AD to authenticate to internal AD resources.

    We want SSO to work for Office 2016 (365 ProPlus) so Outlook, S4B, Word etc. use Windows Auth with ADFS to authenticate users seamlessly. It seems to have been working (mostly) for some time now.

    Exchange Online has Modern Auth enabled:

    PS >Get-OrganizationConfig | fl OAuth*

    OAuth2ClientProfileEnabled : True

    This ADFS endpoint has been enabled: /adfs/services/trust/13/windowstransport

    ADFS Auth Policies, Global, has Forms for Extranet, and Forms+Win for Intranet.

    Windows IE Intranet site includes the ADFS endpoint. Verified by browsing to adfs from IE and checking File > Properties.

    Intranet site has 'Automatic log-on only in Intranet zone' enabled.

    My problem:

    Recently Outlook auth is acting up. My machine, Windows 10 1803, I put it to sleep last night before leaving the office. Wake it up this morning, it appears to have woken up at some point as the battery was dead. It probably restored from hibernation. But Outlook was immediately prompting for password. I closed Outlook and reopened. Now i was getting a forms-based adfs auth prompt. Shouldn't be as i'm domain joined and inside the network. Checked DNS, I was resolving my adfs endpoint to the internal server. I removed the Win10 'work or school account' but didn't see an immediate change in Outlook. After time researching I started Outlook again and it went in fine, connected, synced mail, all folders are up to date.

    After writing this I feel like the endpoint '/adfs/services/trust/13/windowstransport' is what causes Win10 to add the 'work or school account'?

    Maybe my problem is related to Primary Refresh Token and the 4 hour retry period, as per this article?: https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/ . I don't understand this part fully, whether it applies to my environment, or how to check it.

    I am happy to receive any advise, questions, or provide further information :).

    Update: 

    So the biggest annoyance is how Office 365 ProPlus is treating Identities for me right now.

     

    I found these entries in registry, HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity, under Identities and Profiles:

     

    SoMeRaNd-OmGu-IdFo-RmYA-dAlCoNnEcTiOn_ADAL

    myupn@contoso.com.au_AD

     

    When launching any Office app, all the Connected Services are no longer shown. It's signed in, but I believe it's using the AD identity. If I click 'Sign out' it seems to simply revert to the ADAL identity, as it's still signed in but new links are shown 'Change photo' and 'About me', as well as the Connected Services have returned.

    More so I notice these changes in registry, a new value added 'SignedOutADUser' and after closing reopening Office app the 'myupn@contoso.com.au_AD' entry is removed.

     

    I have read that in a recent Office version (16.0.7967 ?) ADAL is being replaced with WAM, and you can add registry entry 'DisableADALatopWAMOverride' but it didn't seem to do anything for me, or I don't think it's quite related to my problem?

     

    We have a subscription in the Partner Network, so I thought I could get good support if I lodged a ticket through there. But after an hour phone call they were trying to prove that Office is fine or not an issue, resetting the license repeatedly, signing out and in repeatedly, only to come at the end and say that we have a hybrid environment and he can't support me with it. Microsoft Ticket #12814311. He was going to try find some online resources / articles for me and email them over. I'm still holding my breath.

     

    I'm also starting to think my ADFS setup isn't the issue here, as whenever going to https://login.microsoftonline.com in a browser it never has issues authenticating me without entering a password.

     

    Does anyone have any insight into what I'm seeing with identities and the registry? Where is the _AD identity coming from, and how would I stop it, if the ADAL identity seems to be working fine?

    Wednesday, January 30, 2019 2:35 AM

All replies

  • Hi TheManInOz,

    Thanks for visiting our forum. Then sorry but here we mainly focus on general issues about the RTM release versions of Office 2016, 2019 and Office 365 ProPlus desktop client. Since your query is more related to Office 365 and AzureAD, I am afraid little we can help here about this issue. As regards to Office 365 for Admins, there is a dedicated Answers community for Office 365 for Admins which you can have a look at to see if it is more more appropriate for this issue. I noticed that you have already opened a Microsoft Ticket, due to the limitation of forum support, personally I'd like to suggest focusing more on the ticket. Thanks for your understanding.

    Regards,

    Yuki Sun


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, January 31, 2019 3:08 AM
    Moderator