We have an ADFS Claim Rule set up to allow IMAP access to an Office 365 mailbox from one of our applications.
Recently, we were asked to add a new account to the existing ADFS Claim Rule. A pretty straightforward request.
After adding the new account to the rule, we had the application owners test it. They did some testing and they could not get the new account to work.
The first thing we did to troubleshoot this further was to review the AD FS Event Logs. We found several events related to the new account. An AD FS 1000 and 325 event.
1000 Event – An error occurred during processing of a token request.
325 Event – The Federation Service could not authorize token issuance for caller.
After several attempts to fix the problem failed, we noticed in Active Directory and the Event logs above (grayed out) that the account had a couple of upper case characters as part of the name.
Since IMAP is being used, we went ahead and modified the ADFS Claim Rule and made sure the name of the account in the rule matched what was in Active Directory (re: the case sensitive characters).
We had the application owners test it again and they were able to get it to work without any problems.