Help for Azure Authentication Users
This article applies to: Authentication
Last Updated: January 3, 2023
Previous Update: December 9, 2022
Frequently Asked Questions
What is the timeline for campus migration to Azure Authentication?
The deadline to complete migration to Azure Authentication is March 30, 2023. Find out more at Announcing the Azure Authentication Project.
What is changing?
To provide better security, the sign-in process for Microsoft services like Office 365 (Outlook, Teams, SharePoint, Word, Excel, etc.) is being upgraded, migrating users to Azure Authentication. While the new Microsoft sign-in experience looks slightly different, it works the same way. For a preview, visit the Azure Authentication page.
What will I need to do?
- Sign out of your Cornell Microsoft account the night before your assigned date and quit all Office apps. (You will only need to do this process once.)
- Sign in with your NetID and password when prompted on your assigned date.
- You will be prompted once on each device using Office 365 or other Microsoft services.
- To avoid being prompted again later, select Yes on the Stay signed in screen during login.
- If you experience issues during login, please contact your IT Service Group representative or the IT Service Desk.
What happens if I don't sign out of my Cornell Microsoft account before migration?
It is recommended that you sign out of your Cornell Microsoft account and quit all Office apps before migration to help eliminate potential issues once the switch to Azure Authentication occurs. If you do not sign out beforehand, you may experience some of the issues documented here in the FAQ.
Do I need to be on campus or connected to CU VPN to sign in to Azure Authentication?
No, a Cornell network connection, on campus or remotely by CU VPN, is not required during the change-over or for user authentication.
Is there any difference in sign-in behavior between Windows and Mac? Will this behavior cause issues with installed Microsoft Office applications?
Using a Mac or Windows computer should make no difference; this includes email and the Office suite.
How quickly does the prompt to sign in happen across all devices?
ADFS refreshes the authentication token every eight hours. You will be migrated in the late evening, so all tokens should have expired by the next business day, prompting a new sign-in.
Once I have signed in, is the process complete?
Yes, all that is required is to sign in once on each device. To avoid being prompted again, you should select Yes on the Stay signed in screen during login.
What happens with Apple Mail for iOS and macOS clients? Will I need to sign out/sign back in when using those products?
Any client that accesses Office 365, including email, will need to sign in using Azure Authentication, including those configured to use IMAP or POP.
What happens with Exchange Group Accounts (EGAs) in Outlook? Will I also need to sign out/sign back in with them?
The switch to Azure Authentication does not impact EGAs.
Sign in on each device using Office 365 apps
You must sign in for every device using an Office 365 application or service; this includes email clients configured to use the Office 365 email service. The timing of sign-ins on different devices will vary depending on when each device's authorization token expires.
Sign in for each NetID or email account
For each email account and NetID, sign-in and Two-Step Login are required.
ADFS sign-in links saved in bookmarks prompt for second login
You may be prompted for a second login after clicking on ADFS sign-in links in bookmarks. You must remove or update your ADFS bookmarks to avoid being prompted again. It is best practice to bookmark the application and not the login page.
Automated tasks reminder
If you run automated tasks (Power Automate, etc.) under personal credentials, you will need to re-authenticate these jobs after migrating to Azure Authentication. It is not best practice to run production tasks under a personal account.
The "Forgot my password" link
Issue: The "forgot my password" link in the Azure Authentication prompt does not work. The link uses Microsoft's password writeback mechanism and is not in use at Cornell. There is no way for Microsoft to change the link or the information on the login screen.
Solution: Follow the standard NetID password reset instructions.
Microsoft Teams may prompt for Two-Step Login
Issue: You may receive a separate Two-Step Login prompt when launching Teams.
Solution: You should accept the Two-Step Login prompt as you normally would, but only if you were expecting it.
Outlook on the web may prompt for Two-Step Login more than once
Issue: If Outlook on the web is open in your browser when the ADFS token expires, you may be prompted to sign in using Azure Authentication and Two-Step Login. If you have multiple tabs open, especially for Outlook on the web (email, calendar, tasks, etc.), you may receive multiple Two-Step Login prompts.
Solution: You should accept the Two-Step Login prompt(s) as you normally would, but only if you were expecting it.
iOS Mail client may prompt for second login
Issue: After logging in normally, you may be prompted to authenticate one or more times when sending mail.
Solution: You should restart your device. If this happens more than once, please contact the IT Service Desk.
Zoom Calendar and Contacts integration may need to be re-enabled
Issue: After migration, the Zoom Calendar and Contacts integration, which allows the Zoom desktop client to display meetings and contacts from your Outlook calendar, may be disabled. (Note: If you have not enabled Calendar and Contacts in your Zoom profile, this issue will not affect you. The Calendar and Contacts integration is separate from the Outlook add-in that allows you to add a Zoom meeting to your scheduled event.)
Solution: You should re-enable the Zoom Calendar and Contacts integration to begin using it again. For more information, visit How to set up Calendar and Contacts integration.