Question
A customer is asking:
We are currently using the M365 Connector and are transitioning our school network clients from Office 2024 Pro Plus to the Microsoft 365 desktop apps.
Our goal is to enable Single Sign-On (SSO): when a user logs into a school computer (which is already connected to the UCS portal via SSO), they should be automatically signed into applications like Word and Excel. Currently, users have to log in again manually when they start an Office application. Is it possible to achieve a “log in once” workflow for these local clients?
Answer
While the desire for a seamless login process is understandable, providing a fully automated SSO experience for Microsoft 365 desktop applications in a school environment is currently not feasible.
Technical Background
In the past, it was often possible to achieve SSO-like behavior using specific user attributes, such as the User Principal Name (UPN). While this was not a native feature of UCS initially, it was previously implemented as a technical workaround in specific test projects.
However, Microsoft has significantly changed the authentication architecture for Microsoft 365. Modern authentication no longer relies solely on the UPN and password. Instead, it requires:
- Device Binding: A permanent link between the user and the specific hardware.
- Persistent Auth Tokens: Secure tokens stored within the local user profile.
- Stable Context: A consistent user and device environment.
Obstacles in School Environments
The specific nature of school networks makes it difficult to maintain the “context” Microsoft now requires. The following factors prevent automatic login:
- Shared Devices: Multiple users frequently switch between the same workstations.
- Profile Management: Local profiles are often deleted or reset regularly to maintain system performance and privacy.
- Session Resets: Without a persistent local profile that stores the hardware-bound token, Microsoft treats every Office launch as a new session on an “unknown” device.
Conclusion
This limitation is not specific to UCS. Even in a native Windows Active Directory environment, true SSO for M365 apps is generally not achievable under these specific conditions (shared devices and non-persistent profiles).
In summary:
- Automatic login to Office 365 via the Windows login is not supported in typical school network scenarios.
- The secondary login within Word, Excel, etc., is a technical requirement from Microsoft and is currently unavoidable.