locked
Can I leverage AD FS (in 2012 R2) to avoid password prompts in Outlook 2016 when accessing Exchange Online? RRS feed

  • Question

  • I have just implemented AD FS to enable Office 365 federation in order to ease access to SharePoint Online for users on the corp network. This seems to work.

    Now I am wondering if there is something I can do with AD FS to avoid the password prompts from Outlook 2016? Users are inside the corp network and mailboxes are in Exchange Online.

    I know that users can just ask Outlook to save the password in the windows credentials store, but I am hoping to avoid the prompt altogether?

    Can this be achieved?

    Monday, August 8, 2016 6:16 PM

Answers

  • That is correct Thomas.

    AAD Connect is not something that you must purchase. It was the same for AAD Sync, and DirSync.

    You can look at enabling Modern Authentication.  That is where you want to place your focus.  it must be manually enabled for EXO and SfBO.   

    Users will still get an initial prompt, but this can then be used to auth and the token persisted.  Eventually the auth must reoccur, but it is far less frequent.    The token life cycle is on TechNet.


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, August 15, 2016 1:09 AM
  • As far as I can tell, Rhodericks comments means that the answer to my original question of "whether the password prompts can be avoided altogether using AD FS" is "No".

    We already use Modern Authentication. It is the default with Outlook 2016.

    Thursday, October 13, 2016 4:28 PM

All replies

  • Yes, that credentials prompt can be avoided altogether by using ADFS.  However, it may pop up every now and then.  An example would be when users change their passwords on the corporate network, then the first time they open Outlook online after that Outlook will prompt for a password just one time, and won't do so again so long as the user checks the box to save the password.  Be advised though I have never setup ADFS personally, so I can't offer specifics on that part.

    Best Regards, Todd Heron | Active Directory Consultant

    Monday, August 8, 2016 8:53 PM
  • Thanks for the Quick reply. What you describe is actually just Outlook itself caching the credentials. It does not use or need ad fs for that. And I was indeed looking to avoid users having to re-save their passwords in Outlook whenever they change them. Thomas
    Monday, August 8, 2016 9:33 PM
  • To "synchronize" the credentials and avoid the password prompts, you will need to purchase the Azure AD Connect tool, formerly known as "Directory Synchronization" (or DirSync for short).  With ADFS already set up to federate between your corporate network and Microsoft Office 365 Online, what DirSync will do is synchronize the credentials between your corporate domain and the credentials at Office 365 Online.  Users won't be promoted a second time for a password when they access Outlook in this scenario.

    Best Regards, Todd Heron | Active Directory Consultant

    Tuesday, August 9, 2016 1:09 AM
  • We already use AAD Connect. (I do not really think that you can do federation without it or one of its predecessors, and it is a free tool).

    But AAD Connect plays no role in the actual authentication process. The password sync, which it can configure (and which we use), only serves the purpose (for federated organisations) of having an easy fallback for authentication in Azure if our AD / AD FS / Firewall should suffer a critical failure.

    Tuesday, August 9, 2016 1:11 PM
  • That is correct Thomas.

    AAD Connect is not something that you must purchase. It was the same for AAD Sync, and DirSync.

    You can look at enabling Modern Authentication.  That is where you want to place your focus.  it must be manually enabled for EXO and SfBO.   

    Users will still get an initial prompt, but this can then be used to auth and the token persisted.  Eventually the auth must reoccur, but it is far less frequent.    The token life cycle is on TechNet.


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, August 15, 2016 1:09 AM
  • As far as I can tell, Rhodericks comments means that the answer to my original question of "whether the password prompts can be avoided altogether using AD FS" is "No".

    We already use Modern Authentication. It is the default with Outlook 2016.

    Thursday, October 13, 2016 4:28 PM
  • Ahah sorry for the marking unmarking. My browser is getting a bit laggggggy:)

    So is your question answered? Do you need further assistance of this? This post was never marked as answered in months. So the assumption is that the latest post confirming the behavior is the correct answer. Would you mark your own message as answered if Rhoderick did not comment? If not, please leave both as answers.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, October 13, 2016 4:41 PM
  • Rhoderick's and my answer complement each other well.
    Thursday, October 13, 2016 4:48 PM