The EDF webmail relies on the Microsoft 365 infrastructure, which means that the connection goes through a specific authentication portal (ADFS or Entra ID) before reaching the Outlook inbox. This architecture, reinforced by multi-factor authentication, creates friction points that simple entry of a username and password cannot resolve.
Sesame ID and Entra ID: the technical foundation to understand before any configuration
EDF has initiated a convergence between its internal identifiers, historically called “Sesame” (linked to the NNI), and the Entra ID accounts (formerly Azure AD) used by Microsoft 365. This migration changes the way an employee authenticates on Outlook, whether via the desktop client or the web version.
You may also like : How to Delegate Effectively Without Losing Control with CorexiaPro
Specifically, the EDF professional email address no longer functions as a standalone identifier. It is linked to an Entra ID account that centralizes access to all Microsoft 365 applications: Exchange Online email, calendar, OneDrive files, Teams. Any connection attempt from Outlook first goes through the EDF ADFS portal (cws.edf.fr), which redirects to Microsoft authentication.
This intermediary layer explains why a standard IMAP or POP configuration does not work for EDF webmail. The mandated protocol is Exchange ActiveSync or MAPI/HTTP, natively managed by recent versions of Outlook. Older versions of the email client, prior to Outlook 2016, may encounter incompatibilities with this mechanism.
Related reading : How to Easily Pay Online with an Illicado Card at Leroy Merlin
To access EDF webmail from Outlook, one must therefore have an active Entra ID account and a mail client compatible with modern authentication (OAuth 2.0).
Multi-factor authentication on EDF Outlook: what really blocks
Since the migration to Microsoft 365, multi-factor authentication (MFA) is mandatory for any remote access to EDF’s Exchange resources. This security enhancement applies to both Outlook on the web and the Outlook client installed on a non-managed workstation.
EDF’s MFA relies on the Microsoft Authenticator app or a code sent via SMS to the registered professional phone number. Upon first login from a new workstation or browser, two-step validation is systematically required.
The most common blocks occur in three specific cases:
- The employee uses a personal device not registered in the Entra ID conditional access policy, which triggers an automatic denial even before entering the second factor.
- The Authenticator app is not synchronized (phone change, reinstallation), and the generated code no longer corresponds to the EDF account.
- The browser or Outlook client retains an expired authentication token, causing a redirection loop between cws.edf.fr and login.microsoftonline.com without ever resolving.
For the last case, clearing the Windows credential cache and deleting the Outlook profile before recreating the connection resolves most situations. On Outlook web, deleting cookies from the microsoftonline.com domain is usually sufficient.
Non-managed email clients: restrictions applied by EDF
EDF has tightened control over so-called “non-managed” email clients, meaning those installed on workstations that are not administered by the group’s Digital Management. This policy intentionally limits synchronization possibilities from a personal Outlook or third-party software like Thunderbird.
In practice, only workstations enrolled in EDF’s device management system benefit from full access to Exchange Online (sending, receiving, calendar and contact synchronization). An unenrolled device may be allowed to access email via Outlook web, but with restrictions: limited attachment downloads, copy-paste disabled in some cases, inability to forward messages to external addresses.
These restrictions are governed by the conditional access rules configured in Entra ID. They vary according to the employee’s profile and the sensitivity of the data processed. Field feedback varies on this point: some agents access without difficulty from their personal workstation, while others encounter total blockage.
Check the compatibility of your workstation
Before attempting a configuration, it is useful to check if the workstation meets EDF’s technical requirements:
- Up-to-date operating system (Windows 10/11 or recent macOS) with security patches applied.
- Outlook version supporting modern authentication OAuth 2.0 (Outlook 2016 or later, with recent cumulative updates).
- No active third-party VPN that might alter the IP address perceived by the ADFS portal, which can trigger a geographic blocking policy.
EDF Outlook web connection: the concrete procedure via the browser
The most reliable way to check EDF email remains the internet browser, via Outlook on the web. The access portal is hosted on cws.edf.fr, which automatically redirects to the Microsoft authentication page.
The direct login URL is outlook.office.com, but the ADFS redirection requires going through the EDF portal for the Sesame/Entra ID identifier to be recognized. Typing directly outlook.office.com and then entering the EDF address also works, as Microsoft detects the domain and redirects to the correct authentication portal.
Once MFA is validated, the Outlook web interface provides access to email, shared calendar, contacts, and professional OneDrive files. The available features depend on the access level assigned to the workstation: an unmanaged device may display a potentially restricted version of the interface.
For the locally installed Outlook client, configuration is done via “Add Account” in the settings. Simply enter the EDF email address: Outlook automatically detects the Exchange settings via Microsoft 365 autodiscover and initiates the MFA process. No manual configuration of SMTP or IMAP servers is necessary or even possible in this architecture.
The main point of attention remains session management. EDF applies relatively short session expiration times on web connections. Closing the browser without logging out may leave an active token that, upon expiration, will cause an error during the next reconnection. Getting into the habit of explicitly logging out via the user menu avoids this type of recurring inconvenience.