IT Connect
Your connection to information technology at the UW

Azure AD authentication troubleshooting: How the technology works

You may be experiencing sign in or access issues related to Office 365 or other applications which leverage the UW Azure Active Directory (Azure AD).

This page is part of the Azure AD authentication troubleshooting guide–specifically the ‘how the technology works’ page.

This troubleshooting guide provides:

Note: This document covers the basics related to Azure AD authentication. More material about our Azure AD architecture is available but not directly relevant to this topic.

How the technology works

Contents:

You likely do not know you use Azure Active Directory, but you are familiar with Office 365 applications, like Exchange Online, Outlook, Teams, Sharepoint Online, or OneDrive for Business–all of which rely on Azure Active Directory for authentication and access.

Azure AD sign in basics

Each of these applications requires an Azure AD sign in. For example, to get into your Exchange Online mailbox what happens is:

  1. Each user must get an Azure AD identity token for their UW NetID
  2. Use that identity token to get an Azure AD access token for Exchange Online
  3. Use that access token to get into their Exchange Online mailbox

Azure AD tokens have some standard behaviors which affect what you experience:

  1. Azure AD tokens are restricted to use from the device where they are obtained–they can’t be re-used on another device. Each time you use a new device, you will get the full interactive sign-in experience.
  2. In some cases, you may already have an identity token or a special token called a refresh token cached on your device. If this is the case, you won’t be prompted to interactively sign in with your UW NetID credentials.
  3. If the device is Azure AD registered, then an Azure AD refresh token will be issued. An Azure AD refresh token acts like the “UW Duo remember me” option–when present, the user is not prompted interactively to enter their credentials each time they want to access an application that requires a new Azure AD access token.
  4. Azure AD access tokens generally last 1 hour, but each application can change that length.
  5. Policy can be set which sets conditions for Azure AD access token issuance. Examples in use at the UW include:
    • Duo 2FA opt-in for the Web. If you choose to opt-in, all your Azure AD access tokens will additionally require Duo 2FA. Presence of a refresh token which indicates you have previously satisfied Duo 2FA will mean you do not have to interactively satisfy Duo 2FA every hour.
    • Compromised UW NetID or loss of Office 365 license. In these cases, no access token will be issued.

UW Azure AD sign in specifics

Here at the UW, we’ve made technology choices which are relevant:

  • Our Azure AD requires a token from UW ADFS (sts.netid.washington.edu)
  • UW ADFS in turn requires a token from the UW IdP (idp.u.washington.edu)

This is why most users must enter their UW NetID twice–once in the Microsoft sign in page, and again at the UW IdP. 

Cloud-only authentication

We have a plan to eliminate both ADFS and the UW IdP in the UW Azure AD sign in experience, i.e. you provide your UW NetID password to the Microsoft sign-in. Some users have already transitioned to this cloud-only sign in experience by adding themselves to  https://groups.uw.edu/group/u_msinf_aad_phs_optin. If you opt-in, after about an hour your account should have the cloud-only sign-in experience as documented here: https://itconnect.uw.edu/wares/msinf/aad/authn/cloud-only-with-duo-2fa-expected-experience/. That walkthrough presumes you have enabled Duo 2FA.

Note: Until we have converted everyone to this experience, the OWA URL https://outlook.office.com/owa/?realm=uw.edu may result in the ADFS + UW IdP based sign-in experience. If you instead use https://outlook.office.com/owa/, you will still get to OWA but with the cloud-based sign-in experience.

Duo 2FA

Users who have chosen to ‘opt in to UW 2FA for the Web‘ will get 2FA prompts via the UW IdP and separately via Azure AD. Azure AD will require Duo 2FA when an access token is issued. 

Tokens issued by Azure AD have no relationship to the UW Duo remember me feature–the UW Duo remember me feature is *only* for tokens issued by the UW IdP.

If the device is registered with Azure AD, then you should not be interactively prompted by Duo for each access token. And the opposite should also be true, if the device is not registered with Azure AD, then the user should be interactively prompted by Duo for each access token.

Azure AD device registration

The device used with Azure AD sign in is very important, and depending on the configuration can either reduce interactive sign ins or entirely block sign ins.

Azure AD tokens are restricted to use from the device where they are obtained.

If the device is Azure AD registered, then an Azure AD refresh token will be issued when an identity token is obtained. An Azure AD refresh token will eliminate the need to interactively enter your credentials each time you want to access an application that requires a new Azure AD access token.

Most Office products (including Microsoft 365 Apps for Enterprise, Office 2016/2019, and Office ProPlus) on supported Windows platforms require the device to be Azure AD registered in order to allow sign in. Office products often perform the registration silently, unknown to the user. 

There are other application experiences which require device registration. For example, users which use the Windows 10 Mail application to access Exchange Online will be asked to register via the ‘Access Work or School’ Windows setting..

Each device usually has one registration record per user, not necessarily a single device registration. The only exception to this is a hybrid joined device which does involve user interaction.

Because device registrations are per user, each user can review and manage the list of all their registered devices via https://myworkaccount.microsoft.com/device-list. Users should NOT disable any registered device. While you can disable the device, you can not re-enable it. If you disable your device, you then can’t sign in from that device. Only a small handful of people at the UW can re-enable a disabled device.

Most device platforms are supported for device registration, but Windows 7 is a notable exception. Windows 7 mainstream support ended in 2015 and extended support ended at the beginning of 2020. Windows 7 is insecure (because it is not actively getting security updates), and UW users should upgrade to Windows 10. This is why the Azure AD Duo 2FA experience from a Windows 7 device is very annoying–every access token will require a fresh interactive sign-in.

Office clients on non-Windows platforms sometimes have helper capabilities that allow an Azure AD refresh token to be maintained regardless of whether the device is registered with Azure AD or not.

If your Azure AD device registration experience is interactive, you may be asked whether you want the device to be managed. You should choose no. If you say yes, you are moving beyond a relatively impactless Azure AD device registration to mobile device management (MDM), which in the case of the UW Azure AD tenant is provided by Intune. So yes to that management prompt means Intune enrollment. If successful, that potentially means a set of policies and settings will be deployed to the device, including these settings.

Last reviewed March 1, 2021