Users experience unexpected sign-in results in Office 365 after you apply a client access policy

After you apply an Active Directory Federation Services (AD FS) 2.0 client access policy, users who access Microsoft Office 365 services experience unexpected results. Users experience these results in one of the following ways:

• Users on client devices that should be allowed access can no longer connect to Office 365 by using single-sign on (SSO)-enabled credentials. Users receive the follow error message:
  
  There was a problem accessing the site. Try to browse to the site again.
• Users on client devices that shouldn't be allowed access to SSO functionality can sign in to Office 365 by using federated user credentials.

To work around this issue, remove the client access policy from the AD FS 2.0 federation server on the primary node in the AD FS 2.0 federation server farm. To do this, follow these steps:

1. Click Start, point to All Programs, point to Administrator Tools, and then click AD FS 2.0 Management.
2. In the left navigation pane, click AD FS 2.0, click Trust Relationships, click Relying Party Trusts, right-click Microsoft Office 365 Identity Platform, and then click Edit Claim Rule.
3. On the Issuance Authorization Rules tab, remove all the entries that are listed except the Permit Access to All Users rule. To remove an entry, select it, and then click Remove Rule.
4. If the Permit Access to All Users entry isn't present, and if the list is empty after you perform step 3, click Add Rule, select Permit All Users from the drop-down list, click Next, and then click Finish.

After you follow these steps, test SSO-enabled user access to make sure that the default AD FS 2.0 behavior to allow all client connections is restored.

Resolution 1: Implement an AD FS 2.0 federation server proxy as part of the Office 365 SSO and identity federation architecture

For more info about how to implement AD FS 2.0 federation services, go to the following Microsoft website:

Resolution 2: Check the client access policy

Verify that the client access policy was applied correctly. For more info, go to the following Microsoft TechNet website:


For help in configuring client access policy rules in AD FS 2.0 for Office 365 SSO, contact Office 365 technical support.

This issue may occur if one of the following conditions is true:

• The AD FS 2.0 federation server proxy isn't used to expose the AD FS 2.0 federation service to Internet devices.
• The client access policy rule was incorrectly applied to the AD FS 2.0 federation server.

Still need help? Go to the Office 365 Community website or the Windows Azure Active Directory Forums website.