ADFS Auto-Acceleration for SharePoint Online

If you are an IT admin or a simple user in an organization that uses SharePoint Online, you may have noticed the following behaviour when you try to login on a domain joined machine and from the corporate network. First you go to the SharePoint Online site, like for example contoso.sharepoint.com. From there, you are redirected to the Microsoft Online Sign-In page. If you are a federated user, you would have to provide your username there and the sign-in process would take you to your ADFS sign-in page. If on a domain joined machine, in a corporate network, you would be automatically signed in there. 

However, we have a lot of steps in this authentication process to SharePoint Online. The good news is that now you can request to Microsoft support to enable your SharePoint Online tenancy for ADFS auto-acceleration. This feature is really cool, because if enabled you really don’t have to provide not even one username and the whole authentication process will be very smooth. So how does this work?

Once auto-acceleration is enabled, the system works as follows: you navigate to contoso.sharepoint.com in your web browser. SharePoint Online receives the request and detects that auto-acceleration is enabled for this tenant. You are then sent to login.microsoftonline.com with an extra whr tag in the header. This tag indicates to AAD that it is safe to accelerate the user directly to the ADFS endpoint, for example sts.contoso.com.  In the case of domain-joined machines, you will be signed in immediately.

Just to make things easier, here is also a visual representation on how ADFS auto-accelaration for SharePoint Online works.

Auto-acceleration

 

I hope you will find this information useful. As always, I am opened to any questions, suggestions and feedback.

Dan Patrascu-Baba

Partner Technical Consultant at Microsoft
Azure PaaS and dev consultant, working for Microsoft. Mostly dealing with Microsoft Azure services, ASP.Net Core, AngularJS, Javascript. Helping partners and customers to write good code and to architect their cloud and hybrid solutions.

3 thoughts on “ADFS Auto-Acceleration for SharePoint Online

  1. Travis

    Would this work if I had a single federation server with multiple virtual server IDs? (can I turn it on if I have a single server with multiple virtual servers federated?)

    This setup includes 3rd party federation services to allow the single server to authenticate multiple un-trusted domains;

    Example:

    biz.company1.com -> sso.company.com/abcd
    biz.company2.com -> sso.company.com/efgb

  2. Dan Patrascu-Baba Post author

    Very good question. I can’t tell you exactly if this would work or not but I am fairly sure that this type of scenario is not officially supported by Microsoft.

  3. prakash

    We have multiple domains for our multiple entities using the same tenant. Is is going to work for all since we provide a single domain name while enabling Auto-Acceleration

Leave a Reply

Your email address will not be published. Required fields are marked *