Fixing the “Add‑in is not configured for single sign‑on” error when your Microsoft 365 tenant is federated to AD FS
Office add‑ins like MailMerge365 obtain their SSO token through Azure AD’s modern‑authentication flow.
When the tenant is managed (cloud‑only), Azure AD authenticates the user directly and the token request succeeds.
In a federated tenant (AD FS) two default AD FS settings block that flow:
| AD FS element | Why it matters | Default | Symptom |
|---|---|---|---|
| Forms authentication | The Office WebView can’t forward Kerberos; it falls back to a forms‑based logon page. If Forms auth is disabled, the flow fails. | Off | Add‑in banner “not configured for SSO” / error 13003 |
WS‑Trust WindowsTransport endpoint/adfs/services/trust/13/windowstransport |
Used by Office desktop apps for silent (desktop) SSO. | Disabled | Endless credential prompts or 13003 |
Sources
- Troubleshoot sign‑in issues with modern authentication when you use AD FS – sections “An error occurred...” and “Desktop single sign‑on (SSO) with AD FS fails”
Required changes (run on every AD FS server)
<code class="language-powershell"># 1 – Allow Forms authentication inside the corporate network Set-AdfsProperties -IntranetFormsAuthenticationEnabled $true # 2 – Enable the WS‑Trust WindowsTransport endpoint Enable-AdfsEndpoint -TargetAddressPath "/adfs/services/trust/13/windowstransport"
👆 Restart the ADFS service after making these changes.
Windows Integrated Authentication can stay enabled; Forms just needs to be also available.
Sources
- Forms authentication step: see the “An error occurred...” guidance in the Microsoft article above.
- Endpoint step: see “Desktop single sign‑on (SSO) with AD FS fails” in the same article.
- Cmdlet reference: Set‑AdfsProperties | Enable‑AdfsEndpoint
Verifying the fix
- Close all Office applications.
- Re‑open Word / Excel / Outlook and launch the add‑in again.
- The warning banner is gone and no 13003 appears in the console.
- (Optional) In Fiddler or dev‑tools you should see a successful call to
login.microsoftonline.comreturning anaccess_as_usertoken.
Additional good practice
- Confirm modern authentication is enabled for Office clients (it is on by default today).
- Use Office builds Version 1911 / Build 12215.20006 or later (Identity API 1.3).
Source: Troubleshoot SSO error messages in Office Add‑ins – section “50001”. - If you still get prompts, clear the Web Account Manager cache
(Settings > Accounts > Access work or school > Disconnect) and sign in again. - Consider moving away from AD FS toward Password‑Hash Sync or Pass‑through Authentication; those do not need the workaround above.