Fixing a Hidden Login “Gotcha” Within Microsoft Azure Active Directory - Derive Notes From the Field Series

Welcome to the first in Derive Technologies' new blog series entitled, "Notes From the Field." In the series, our Professional Services team will provide insights about a variety of technology solutions from an engineering perspective. Please look out for further entries in this series over the coming weeks.


Fixing a Hidden Login “Gotcha” Within Microsoft Azure Active Directory



 

Background

Seamless SSO works with either Pass-through Authentication or Password Hash Synchronization but does not support Federation. When Seamless SSO is configured properly, users login to their domain-joined Windows workstations with their AD DS credentials and are automatically authenticated to Microsoft 365 (formerly Office 365) browser-based and desktop applications without being prompted to re-enter credentials.

My small business customer recently enabled Azure AD Connect with Pass-through Authentication to synchronize their identity between their on-premises AD DS infrastructure and Microsoft 365 tenant. Each user has a domain-joined Windows 10 workstation running the latest Microsoft 365 Desktop applications, including Microsoft Outlook.

Running the AAD Connect configuration wizard, we enabled the Seamless SSO Feature and configured a group policy object (GPO) with the appropriate settings to enable both Hybrid Azure AD join and Seamless SSO features as per Microsoft guidance.
 

Defining the Problem

Seamless SSO for Microsoft 365 web-based services seemed to be working properly. After domain login, users navigated to the office.com portal in the web browser without being prompted for additional credentials. However, several employees complained about intermittent login pop-up windows when using Microsoft Outlook. It was unclear why this problem was only affecting some users. We urged affected users not to check the “remember my credentials” checkbox as doing so would defeat the purpose of the seamless SSO feature and would end up causing a problem down the road when these users needed to change their AD passwords.
 

Researching the Solution

The prerequisites for Seamless SSO as described on Microsoft’s Hybrid Identity Documentation Website were carefully reviewed. We believed all prerequisites had already been fulfilled, and we assumed that Modern Authentication was already enabled as end-user workstations already ran the latest version of Microsoft Outlook. (Modern Authentication is a default setting on new Microsoft 365 tenants.). Since the specific symptom consisted of MS Outlook regularly prompting users to re-enter credentials, we used PowerShell to verify that Modern Authentication was in fact enabled for Exchange Online. As indicated in the screen capture shown below, Modern Authentication was disabled (OAuth2ClientProfileEnabled was set to “false”).
 


 

The customer in question had first established an Office 365 tenant back in 2015.  At that time, Exchange Online Modern Authentication was disabled by default for all tenants.
 

Implementing the Solution

The solution was simply to enable Modern Authentication for the customer’s O365/EXO tenant. This was accomplished with a single PowerShell Cmdlet; the change was then verified with a second PowerShell Cmdlet as shown in the diagram below:
 


 

The aforementioned changes may have propagated automatically within a few minutes, but we asked affected end-users to logoff their workstations and immediately login again to be certain. Once they did so, they were able to launch the Microsoft Outlook desktop application and access their respective EXO mailboxes without additional prompting to re-enter credentials. It is worth noting that the Microsoft documentation page covering O365 Modern Authentication has a disclaimer indicating that, for tenants created before August 2017, Modern Authentication is turned off by default.
 

Author

Matthew J Miller is a Senior Solutions Architect in Cloud Technologies for Derive Technologies. For the past 20 years, Matt has been following Microsoft technologies and solutions. His specialties include Enterprise Networking (Routing, Switching, Wireless); Cloud IaaS (MS Azure AD); Cloud SaaS (Microsoft 365); Active Directory and Virtualization (VMware & Hyper-V).

------

Contact Derive

Learn more about this and other technology solution topics by following our new blog series, or by contacting a member of the Derive Technologies Professional Services team at (212) 363-1111 [New York], (201) 299-9132 [New Jersey], or TOLL-FREE at (844) 363-1110. You may also reach us by completing the FORM ON THIS PAGE (please include "Azure Active Directory" in the comments).