If you are an IT admin or a simple user in an organization that uses SharePoint Online, you may have noticed the following behaviour when you try to login on a domain joined machine and from the corporate network. First you go to the SharePoint Online site, like for example contoso.sharepoint.com. From there, you are redirected to the Microsoft Online Sign-In page. If you are a federated user, you would have to provide your username there and the sign-in process would take you to your ADFS sign-in page. If on a domain joined machine, in a corporate network, you would be automatically signed in there.
However, we have a lot of steps in this authentication process to SharePoint Online. The good news is that now you can request to Microsoft support to enable your SharePoint Online tenancy for ADFS auto-acceleration. This feature is really cool, because if enabled you really don’t have to provide not even one username and the whole authentication process will be very smooth. So how does this work?
Once auto-acceleration is enabled, the system works as follows: you navigate to contoso.sharepoint.com in your web browser. SharePoint Online receives the request and detects that auto-acceleration is enabled for this tenant. You are then sent to login.microsoftonline.com with an extra whr tag in the header. This tag indicates to AAD that it is safe to accelerate the user directly to the ADFS endpoint, for example sts.contoso.com. In the case of domain-joined machines, you will be signed in immediately.
Just to make things easier, here is also a visual representation on how ADFS auto-accelaration for SharePoint Online works.
I hope you will find this information useful. As always, I am opened to any questions, suggestions and feedback.
Latest posts by Dan Patrascu-Baba (see all)
- ADFS in multi forest environments - 20/10/2017
- #Build 2017 – some exciting things - 10/05/2017
- Testing Azure AD per app MFA and conditional access based on network location - 29/07/2016