IT Connect
Your connection to information technology at the UW

The UW Microsoft sign in experience is changing

May 13, 2021

Over the next month, your Microsoft sign in experience for the UW will change to be simpler while remaining secure.

Check out the new experience rolling out next month. 

If you encounter an error when you sign in to Microsoft on June 17, check out the troubleshooting guide to learn what to do.

General communication about this change is being sent via UW Insider and IT Connect News for Students newsletters, with more technical information planned for Computing Directors, techsupport mailing list, and mi-announce mailing list.

Timeline

  • 5/20: UW-IT pilot: UW-IT moved to new experience
    • Status as of 5/25: Zero problems reported across several thousand accounts
  • 6/2: Pilot group 2: 30 percent of all active UW Microsoft accounts moved to new experience (UW NetIDs beginning with a through e)
  • 6/17: Complete removal of federation — all users not in a prior pilot will get the new experience

More information for technical contacts

  • Interactive sign in will shift from a federated sign in to cloud-based sign in. The experience will look slightly different but will be simpler and secure. Note: whether Duo is expected depends on whether the account has opted into ‘UW 2FA for the Web‘.
  • The pilots preview the cloud-based sign in experience without committing the entire tenant to the new experience. This helps us to minimize the possibility of a more significant interruption of service should we need to rollback the removal of federation on 6/17.
  • While your user account might be in a preview of the new experience, you may not see the experience for quite some time. This is because Azure AD interactive sign ins do not happen very often, because the authentication tokens are long-lived and responsive to security events, to improve the user experience without impacting overall security.
  • Users in the pilots who are previewing the cloud-based sign in experience can still end up with a federated sign in experience. This can happen via one of two possible scenarios:
    • If they have a client which can only perform legacy authentication, then their interactive sign in experience will fail back to federated sign in. Note: For the 6/2 pilot, we will automatically omit any user from the pilot who has had legacy authentication use in the past 30 days to reduce the chance of impact.
    • If a “domain_hint” query parameter is passed to an Azure AD application during sign in, then their interactive sign in experience will fail back to federated sign in. For example, https://outlook.office365.com/uw.edu includes the “uw.edu” domain hint parameter in the URL and would result in the federated experience, whereas https://outlook.office365.com/ would result in the new sign in experience.
  • User accounts which experience a Microsoft sign in issue can ask to be removed from the pilot experience, which will take approximately 1 hour. Please have any users who experience problems provide some basic AAD authentication troubleshooting information when sending an email to help@uw.edu, subject: “MS sign in transition”
  • On 6/17/2021 around 5pm, the UW Azure AD will remove the possibility of federated authentication with the UW IdP to complete this change. After this change, all users will have the new cloud-based sign in experience and no one will have the federated sign in experience. At that time:
    • Customers which are using a browser from a device which is not Azure AD registered to access applications *might* experience an error during a four hour window immediately following this change, while a service-side cache is cleared. Customers using native clients or from Azure AD registered devices *should not* experience any issues during this four hour period. Overall, we estimate that very few users will see this error.
    • Customers which have integrated applications in a way which requires federated authentication will break. Known examples include: