Events
Microsoft 365 Community Conference
May 6, 2 PM - May 9, 12 AM
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
When a federated user tries to sign in to a Microsoft cloud service such as Microsoft 365, Microsoft Azure, or Microsoft Intune from a sign-in webpage whose URL starts with "https://login.microsoftonline.com/login," authentication for that user fails. Additionally, the user receives the following error message:
Sorry, but we're having trouble signing you in
Please try again in a few minutes. If this doesn't work, you might want to contact your admin and report the following error:
80041317 or 80043431
This issue occurs when the configuration settings of the federated domain for the on-premises Active Directory Federation Services (AD FS) service and for the Microsoft Entra authentication system are mismatched. This causes the claim that the AD FS service supplies to be malformed and therefore rejected by the Microsoft Entra authentication system.
Note
This can occur after the token-signing certificate is renewed on-premises without updating federation trust data.
Note
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
To verify that this is the cause of the issue that you're experiencing, follow these steps on a domain-joined computer:
Click Start, click All Programs, click Microsoft Entra ID, and then click Microsoft Azure Active Directory module for Windows PowerShell.
At the command prompt, type the following commands. Make sure that you press Enter after you type each command:
$cred = get-credential
Note
When you're prompted, enter your cloud service admin credentials.
Connect-MSOLService –credential:$cred
Set-MSOLADFSContext –Computer:<AD FS 2.0 Server Name>
Note
In this command, the placeholder <AD FS 2.0 Server Name> represents the Windows host name of the primary AD FS server.
Get-MsolFederationProperty -domainname: <Federated Domain Name>
Note
In this command, the <Federated Domain Name> placeholder represents the name of the domain that's already federated with the cloud service for single sign-on (SSO).
Note
The command output is divided into the following two sections:
The output resembles the following:
To resolve this issue, use one of the following methods:
For more information about how to do this, see the "How to update the configuration of the Microsoft 365 federated domain" section in How to update or repair the settings of a federated domain in Microsoft 365, Azure, or Intune.
If method 1 doesn't resolve the issue, try to repair the federated trust. For more information about how to do this, see the "How to repair the configuration of the Microsoft 365 federated domain" section in How to update or to repair the configuration of the Microsoft 365 federated domain .
If methods 1 and 2 don't resolve the issue, try to manually update the mismatched attributes. In the Windows PowerShell connection that you used to diagnose the issue, run the appropriate cmdlet from the following table:
Mismatched attributes | Error code | Command to update attribute | Notes |
---|---|---|---|
FederationServiceIdentifier | 80043431 | Set-MSOLDomainFederationSettings -domain name <Domain.suffix> -issueruri <newURI> | The placeholder <Domain.suffix> represents the federated domain name. The placeholder <newURI> represents the URI value of the on-premises FederationServiceIdentifierattribute (listed first in the output of the Get-MsolFederationProperty cmdlet). |
Still need help? Go to Microsoft Community or the Microsoft Entra Forums website.
Events
Microsoft 365 Community Conference
May 6, 2 PM - May 9, 12 AM
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreTraining
Module
Troubleshoot Federation Issues - Training
We will discuss federation and interoperability between Teams and Skype for Business.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.