Modern Authentication Issues – Microsoft Teams, Office 365 ProPlus activation and ADFS

Just recently, I hit an issue at a client where the Office 365 ProPlus installation could be activated on a device that was outside of the corporate network, but not when it was inside. We eventually traced the problem to the split configuration of ADFS and the fact that Forms based logon was disabled for internal connections. Once this was enabled on the Intranet connection, Modern Authentication occurred correctly and the software activated ok.

I decided to test this further in my Azure set-up and was able to re-create the issue using the Teams app on my desktop PC when connecting to my ADFS server in Azure for authentication (In this case I don’t have the same split DNS configuration, so ADFS treats all connections as Intranet connections, purely to save Azure costs and not recommended!).

Opening the Teams app in Windows 10, I get the usual logon dialog box appear which I type my username into and hit tab. This automatically redirects me to my ADFS farm for validation, at which point we hit an error!

clip_image001

Not much useful info in that “An error occurred” error message you’ll agree, but then teams shows us a short error message stating that “Modern Authentication failed here” before showing us a browser based logon screen for us to enter our username again.

clip_image002

clip_image003

Once we’ve added our credentials again, it’s off round the federation loop once more, this time authenticating properly against the domain (and not using modern authentication) and gaining access to our Teams application. Overall not a great experience for your users and one that we need to fix. Luckily it’s a simple fix and just needs a minor change on your ADFS farm.

Logon to your ADFS master server and open the AD FS Management console. Click on Authentication Policies and on “Primary Authentication/Global Settings” click Edit.

You’ll notice that by default, Forms authentication is not enabled for Intranet connections. Tick this box and click ok.

clip_image004

With that done, Office 365 ProPlus activation and logon to the Teams client app will work just happily and your users will be none the wiser.

Paul.

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.