You may be experiencing sign in or access issues related to Office 365 or other applications that leverage the UW Azure Active Directory (Azure AD).
This page is part of the Azure AD authentication troubleshooting guide: How the technology works.
This troubleshooting guide provides:
- Steps you can take to help yourself
- Known problems and solutions
- Background information on how the technology works
Note: This document covers the basics related to Azure AD authentication. More information about our Azure AD architecture is available but is not directly relevant to this topic.
How the technology works
You likely do not know you use Azure Active Directory, but you are familiar with Office 365 applications, like Exchange Online, Outlook, Teams, Sharepoint Online, or OneDrive for Business—all of which rely on Azure Active Directory for authentication and access.
Azure AD sign in basics
Each of these applications requires an Azure AD sign in. For example, to get into your Exchange Online mailbox what happens is:
- Each user must get an Azure AD identity token for their UW NetID
- Use that identity token to get an Azure AD access token for Exchange Online
- Use that access token to get into their Exchange Online mailbox
Azure AD tokens have some standard behaviors which affect what you experience:
- Azure AD tokens are restricted to use from the device where they are obtained–they can’t be re-used on another device. Each time you use a new device, you will get the full interactive sign-in experience.
- In some cases, you may already have an identity token or a special token called a refresh token cached on your device. If this is the case, you won’t be prompted to interactively sign in with your UW NetID credentials.
- If the device is Azure AD registered, then an Azure AD refresh token will be issued. An Azure AD refresh token acts like the “UW Duo remember me” option–when present, the user is not prompted interactively to enter their credentials each time they want to access an application that requires a new Azure AD access token.
- Azure AD access tokens generally last 1 hour, but each application can change that length.
- Policy can be set which sets conditions for Azure AD access token issuance. Examples in use at the UW include:
- Duo 2FA opt-in for the Web. If you choose to opt-in, all your Azure AD access tokens will additionally require Duo 2FA. Presence of a refresh token which indicates you have previously satisfied Duo 2FA will mean you do not have to interactively satisfy Duo 2FA every hour.
- Compromised UW NetID or loss of Office 365 license. In these cases, no access token will be issued.
UW Azure AD sign in specifics
Our Azure AD uses password hash sync, which is Microsoft jargon that means your UW NetID password is not actually present in Microsoft’s cloud-based Azure AD, but a derived form of it which can be used to verify whether the password you provide to Microsoft sign in prompts is correct. You will have one of two sign-in experience based on whether your account is configured to require Duo 2FA:
- UW Azure AD Cloud-only authentication expected experience
- UW Azure AD Cloud-only authentication with Duo 2FA expected experience
Users who have chosen to ‘opt in to UW 2FA for the Web‘ will get 2FA prompts via the UW IdP and separately via Azure AD. Azure AD will require Duo 2FA when an access token is issued.
Tokens issued by Azure AD have no relationship to the UW Duo remember me feature–the UW Duo remember me feature is *only* for tokens issued by the UW IdP.
If the device is registered with Azure AD, then you should not be interactively prompted by Duo for each access token. And the opposite should also be true, if the device is not registered with Azure AD, then the user should be interactively prompted by Duo for each access token.
Azure AD device registration
The device used with Azure AD sign in is very important, and depending on the configuration can either reduce interactive sign ins or entirely block sign ins.
Azure AD tokens are restricted to use from the device where they are obtained.
If the device is Azure AD registered, then an Azure AD refresh token will be issued when an identity token is obtained. An Azure AD refresh token will eliminate the need to interactively enter your credentials each time you want to access an application that requires a new Azure AD access token.
Most Office products (including Microsoft 365 Apps for Enterprise, Office 2016/2019, and Office ProPlus) on supported Windows platforms require the device to be Azure AD registered in order to allow sign in. Office products often perform the registration silently, unknown to the user.
There are other application experiences which require device registration. For example, users which use the Windows 10 Mail application to access Exchange Online will be asked to register via the ‘Access Work or School’ Windows setting.
Each device usually has one registration record per user, not necessarily a single device registration. The only exception to this is a hybrid joined device which does involve user interaction.
Because device registrations are per user, each user can review and manage the list of all their registered devices via https://myworkaccount.microsoft.com/device-list. Users should NOT disable any registered device. While you can disable the device, you can not re-enable it. If you disable your device, you then can’t sign in from that device. Only a small handful of people at the UW can re-enable a disabled device.
If the device registration is deleted, then any cached token on that device is now invalid. This includes the primary refresh token, which generally doesn’t expire and usually significantly reduces interactive sign ins. Because all the tokens on this device are invalid for that user, the user may see an error, and then must perform a fresh interactive Azure AD sign in. Depending on the scenario, that Azure AD sign in may require a fresh device registration. For this reason, it is best to not delete an Azure AD device registration unless that user will never sign in again from that device.
Most device platforms are supported for device registration, but Windows 7 is a notable exception. Windows 7 mainstream support ended in 2015 and extended support ended at the beginning of 2020. Windows 7 is insecure (because it is not actively getting security updates), and UW users should upgrade to Windows 10. This is why the Azure AD Duo 2FA experience from a Windows 7 device is very annoying — every access token will require a fresh interactive sign-in.
Office clients on non-Windows platforms sometimes have helper capabilities that allow an Azure AD refresh token to be maintained regardless of whether the device is registered with Azure AD or not.
If your Azure AD device registration experience is interactive, you may be asked whether you want the device to be managed. You should choose no. If you say yes, you are moving beyond a relatively benign Azure AD device registration to mobile device management (MDM), which in the case of the UW Azure AD tenant is provided by Intune. When you say “yes” to that management prompt you are saying “yes” to Intune enrollment. If successful, that potentially means a set of policies and settings will be deployed to the device, including these settings.