ADFS Authentication - Internet Explorer


When a federated user signs in to access a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune, the user is prompted unexpectedly to enter his or her work or school account credentials. After the user enters his or her credentials, the user is granted access to the cloud service.


Note not all federated user authentication experiences are without a credential prompt. In certain scenarios, it's by design and expected that federated users are prompted to enter their credentials. Make sure that the credential prompt is unexpected before you continue.



Use one of the following procedures, as appropriate for your situation:

Procedure A

Check the local intranet zone and proxy server settings in Internet Explorer. To do this, follow these steps:

  1. Start Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. Click the Security tab, click the Local intranet zone, and then click Sites.
  4. In the Local intranet dialog box, click Advanced. In the Websites list, make sure that an entry (such as exists for the fully qualified DNS name of the AD FS service endpoint.
  5. Click Close, and then click OK.


Use the following additional steps only if a network administrator configured a web proxy server in the on-premises environment:

  1. Click the Connections tab, and then click LAN Settings.
  2. Under Automatic configuration, click to clear the Automatically detect settings check box, and then click to clear the Use automatic configuration script check box.
  3. Under Proxy server, click to select the Use a proxy server for your LAN check box, type the proxy server address and the port that it uses, and then click Advanced.
  4. Under Exceptions, add your AD FS endpoint (such as
  5. Click OK three times.


Procedure B

Manually configure the security settings for the security zone in Internet Explorer. The default security setting that causes the local intranet zone not to prompt for Windows authentication can be configured manually for any security zone in Internet Explorer. To customize the security zone of which the AD FS service name is already a part, follow these steps:

  1. Start Internet Explorer.
  2. On the Tools menu, click Internet options.
  3. Click the Security tab, select the security zone in which the AD FS service name is already contained, and then click Custom level.
  4. In the Security Settings dialog box, scroll to the bottom to locate the User Authentication entry.
  5. Under Logon, click Automatic logon with current user name and password.
  6. Click OK two times.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request