Single Sign-On (SSO) Configuration
- Feb 5, 2024
- 2 min read
Updated: Feb 11, 2024
SSO: Login Failure due to Email/Domain
Summary
If a user cannot sign in with the Single Sign-On process due to an issue with their email address or domain, it could be because the network account has an alias issue with Azure.
Even if a user does not have an email license, they must sign in to SSO with username@[Redacted].com.
If this username/email address does not work, check their network account following the steps detailed in this article.
A) Troubleshooting Process
1) Check the user's account in the [Redacted] faction of the Partner Portal.
If the user's email address is listed as username@[Redacted].com, their account should not be having alias issues; the issue might actually be the password, SSO setting in PCC, or account expiration date.
The alias is incorrect if the user's email address is listed as username@[Redacted].onmicrosoft.com.
[Image Redacted to Protect Sensitive Information]
2) Connect to [Redacted] and open the user's network account.
If this issue needs to be corrected quickly, use [Redacted].
Changes will sync faster because this domain controller hosts Azure AD Connect.
The network account must be opened in the exact OU their account is located in; searching for the user will not give you access to the Attribute Editor for their account.
For instance, if a [Redacted] user is experiencing issues, you must open their account in the [Redacted] OU.
3) Open the Properties of the user's network account to check the domain address and email address.
Verify that the domain is set to [Redacted]; switch the address to this if it is not.
Verify that the email address in the account's General tab is set to username[Redacted].com.
Apply and save your changes.
[Image Redacted to Protect Sensitive Information]
4) Open the Attribute Editor in their network account.
If you open their account and do not see the option for Attribute Editor, verify that Advanced Features is enabled.
[Image Modified to Protect Sensitive Information]
Please be careful in the Attribute Editor, as unintended mistakes could cause user account issues.
Search for the ProxyAddresses segment and select Edit.
[Image Modified to Protect Sensitive Information]
If you see a value in the String Editor that begins with x500, please do not modify it; this is an expected value to have.
In the Value to Add textbox, type SMTP:, followed by the user's email address.
This value is case-sensitive and must be entered precisely and without spaces to work correctly.
The SMTP: value communicates to Azure that the accompanying address is the user's primary and default email address.
The smtp: value communicates to Azure that the accompanied email address is one of the user's alias addresses.
For instance, [Redacted] SMTP value must be typed precisely as SMTP: [Redacted].
[Image Redacted to Protect Sensitive Information]
Click Add and then OK; Apply the changes at the Properties menu.
On the next sync to Azure, the user's email address should be updated in the Partner Center and properly configured to use SSO.
This sync may take up to an hour. Advise the user to call back if they still have issues after this period.
Comments