after mailbox migration, with modern auth enabled, and SSO enabled, user receives credentials prompt from outlook the first time.

Hello Experts. I am in the process of testing Email Migration to Office 365. On-prem we have, Exchange 2013 CU19, with AD 2012R2. i have enabled modern authentication, and Seamless Sign on. and i have set up Pass-through authentication, and we have Exchange hybrid configuration setup with centralized mailflow, and using Outlook 2016.

The issue I am facing is: when I migrate a user from from on-prem to the cloud, they get a prompt saying the exchange admin has made changes, and they need to restart their outlook. when the migrated user closes and re-opens his Outlook, Outlook prompts them for credentials. this only happens once. after inputting their credentials, they do not receive anymore auth prompts when opening outlook.

My question is, why does the user get prompted for these credentials at first time, after they open outlook again after migration? shouldn't modern auth handle this?, modern auth/ SSO works fine with skype, and OWA. i also noticed, the users credentials are not cached in credentials manager, and after inputting their credentials in Outlook, that stores the credentials in credentials manager, along with what looks like access tokens.  

I also tested by inputting the users Outlook credentials into credentials manager manually prior to migration. then after migration, and after they restart their Outlook, they do not receive an authentication pop up from Outlook. why doesn't Modern auth handle this itself, and why are the users Outlook credentials not being cached into credentials manager?

Please let me know, and thanks in advance.
Newguy 123Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Martin MillerCTOCommented:
Microsoft has FA, field engineers, associated with o365,  that can assist you, or get you a better answer on this.
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
We have published a list of known issues for Seamless Sign-on.  There are several things that will break Seamless SSO, so I'd make sure you've eliminated everything on this list.
you will get prompted 1st time to logon to o365 mailbox and those credentials will get stored along with mfa response and next time it won't
this is expected behaviour as identities are different at on premise and cloud
You may add adfs URL with IE internet zone on clients and enable windows integrated auth on adfs level so that logged on user credentials will automatically supplied to o365 auth prompt and user won't have to do that manually but again it's trick and not pure sso

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Ur users getting prompt of admin changes on mailbox because post mailbox migration, mailbox guid gets changed
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
The mailbox guid doesn't get changed.  It's a synced value.  Federated mailboxes don't receive the popups, and Seamless Sign-On shouldn't receive the pop-up either (Password Hash Sync does).  Depending on the age of your tenant, you may need to enable modern authentication manually.

The credential stored in Credential manager should say ADAL on it if modern authentication is being used.
Agreed that Seamless SSO should work without password prompts  - I have tried this for one client just few months back but SSO behavior had not consistent for what so matter, infact we have tried with support as well,
You are right about MailboxGuid in case of hybrid, however still user will get warning message post migration "the exchange admin has made changes, and they need to restart their outlook". This is expected behavior since mailbox location / database changes

Regarding federated identity, I worked with tenant of DEC 2017 (federated) with modern auth enabled, however still they are entering ID password 1st time, admin has enabled WIA on ADFS and added entry in IE client side and that's how skipping credential prompt

What I am trying to say:
onpremise ID and cloud ID are two different IDs and hence some where you need to logon to onpremise AD and cache those credentials
Now only question remains if Seamless SSO can automate this function without user intervention. I believe scenario would work great in open network but not easy to configure in restricted network where firewall filter out traffic and hence 1st time password would not be an issue
Todd NelsonSystems EngineerCommented:
Federated mailboxes don't receive the popups, and Seamless Sign-On shouldn't receive the pop-up either (Password Hash Sync does).

I disagree that Password Hash Sync receives login pop-ups.  Have deployed several Seamless SSO implementations using password hash sync and no pop-ups have occurred--not even the initial pop-up that would be expected.
Martin MillerCTOCommented:

Using o365 with Azure ADFS syncing with an internal AD, and I receive popups about once or twice a week on my MacOS. It's extremely annoying...
Todd NelsonSystems EngineerCommented:
@Martin, I apologize if I missed something in the original question.  Is this a request for assistance with Mac and Apple devices?
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
Password Hash Sync is "Same Sign on" and can be used independently or in conjunction (as a backup mechanism) with any authentication mechanism: AD FS, Pass-through authentication, or seamless SSO.

Password Hash Sync is utilizing a synchronized cloud id as the authenticating security principal using a sync password hash from on-premises.  With password Hash Sync, the authentication happens in-cloud.  With AD FS, pass-through, or seamless SSO, authentication happens on-premises.
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
I think the question has bifurcated in the comments. :)

I'm on a plane and don't have access to a Mac with me, but I can ask the OL for Mac product group if that's expected behavior.  I have a lot of edu customers using federated ID with Mac, and they haven't brought it up as an issues
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.