O365: Limiting Authentication Prompts
This post is in regards to a question I recently received from a customer about the possibility of getting rid for the initial sign-in prompt Federated users get when accessing O365 for the first time (if they’re cookie has expired or doesn’t exist).
This initial sign in prompt is required because the O365 Azure AD sign in page provides the KMSI (Keep Me Signed In) functionality that’s required in order for the SPO FedAuth cookie to be made persistent so that it can be shared across sessions of browser, Office, Explorer, etc. If the FedAuth cookie isn’t made persistent, certain functionality such as opening a SharePoint List using Windows Explorer View may fail with the error
We're having a problem opening this location in File Explorer. To open with File Explorer, you'll need to add this site to your Trusted Sites list and select the "Keep me signed in" check box when you sign in to the SharePoint Online site. For more information,
The use of Smart Links (http://community.office365.com/en-us/w/sso/using-smart-links-or-idp-initiated-authentication-with-office-365.aspx) is only way to get around this initial sign-in prompt. HOWEVER, when using smart links to access O365, you are forcing clients to bypass the O365 Azure AD sign in page, which prevent them from getting a persistent FedAuth cookie. Therefore they will run into additional prompts and errors when using Office applications that interact with SPO and/or when attempting to open a SharePoint list using the Windows Explorer View (as mentioned above).
For this reason, my recommendation is that smart links not be used and that the default sign-in process/behavior remain as is.This will prevent issues as the one mentioned above, as well as other additional sign in prompts when using applications that interact with SPO and O365.
To make things as stream line as possible, the following settings can be made on user machines (in IE).-
- Have *.<yourdomain>.com and https://login.microsoftonline.com added to my Trusted Sites list in IE
- Have “Automatic logon with current user name and password” selected in the security settings for the Trusted Sites Zone
- Select “Remember Me” when signing into O365 for the first time, so Windows Credential Manager stores the logon credentials for your adfs sts server ( ie https://sts.contoso.com) you can verify this in Control Panel/ User Accounts/Credential Manager
- Check the box “Keep Me Signed In” when signing into O365
In testing these settings, the behavior I get is that I only have to type in my user name in the initial sign-in prompt. As soon as I click in the password box, a realm discovery is made and my user name/password (that I’m logged into windows with) is them passed to my ADFS STS server and I’m then in O365. I do not have to type in the password. I only have to type in my user name.