Hi,
So I havn't found an answer to this anywhere online so I am posting it here. Might post in a few other forums as well.
I work with alot of IT-environments utilizing Azure AD and Office365.
In one of the environments we are running about 100 computers all connected to Azure AD, running Intune and Autopilot. All users sign in to their computers using their Azure AD account. This environment has been running fine for over a year. We make very small changes in it and it's all good.
But then a few months back a few users started having an issue with losing connection to Exchange Online from Outlook, stating that it's "trying to connect". We started troubleshooting and noticed that at the same time Microsoft Store didn't work, and the other Office apps (Word, Excel, Powerpoint etc.) lost access to the "connected services" under the Office Account settings.
More information:
- Onedrive and Teams stays connected (probably since they are using their own credentials or tokens?)
- This happens just for a few of the users, they are not special in anyway deploymentwise, same licenses as other users and same policies applied from Intune and same computer models as the others.
- This happens in all networks, not just in the Office.
- We have been runnings SARA inside the profile, trying to reach Exchange Online and it fails to reach it, just hanging on autodiscover. Although if we run it as admin (another account on the computer it succeeds).
- We have tried making the user a local admin, the issue persists.
- We get no sign-in logs in Azure after the connection is lost, so the sign in tries does not reach Azure.
- We usually solve it by restarting the computer a few times, just rebooting one time does not solve it. Usually after 3-5 reboots everything comes back online...
- We've tried to repair Office
- We've tried restarting all or stopping and starting all Microsoft services connected to Office365 or Identity
- We've deleted the HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity and rebooted the computer, it works fine for a day or two and then the issue comes back.
- Tried switching one of the users to another computer and after just a day the issue showed up there as well. So we cannot bind it completely to a single device or a single user. (Just tried this once so could have been bad luck?)
- Tried Autopilot-resetting a device, (clearing the device completely and then the user gets a new local profile on the machine) still waiting to get the results if this solved anything.
I've been running a ticket with Microsoft support for a few days and we are trying to solve this but has not been able to yet.
So a few questions:
- Does anyone know where I can read about the exact process that handles the sign-ins for Windows to the Office365 with the connected Azure AD user? I need to know more about the actual processes, services, tokens, certificates used.
I've read this one, and although it describes a lot it did not help me find a solution for this.
https://syfuhs.net/how-azure-ad-windows-sign-in-works#:~:text=The%20way%20this%20works%20you,through%20the%20same%20old%20dance.
- Anyone has an idea of how to possibly solve this or ran into similar issues?
Kind regards.
Alex