Skip to content

Configure Azure Active Directory Single Sign-On (SSO)

You installed Azure AD Connect and want to configure Azure Active Directory Single Sign-On (SSO). It’s a great feature so that users can get a seamless single sign-on experience when accessing cloud services from their domain-joined desktop machines. In this article, you will learn how to set up Azure Active Directory Single Sign-On.

Azure Active Directory Single Sign-On prerequisites

Before you start to enable the feature Azure Active Directory Single Sign-On, you have to check that the organization meets the AAD SSO prerequisites.

Install Azure AD Connect

You need to install and configure Azure AD Connect before you proceed further. If you already have Azure AD Connect in the organization, we recommend you upgrade to the latest Azure AD Connect version. See the next step.

Upgrade Azure AD Connect to latest version

The below articles will help you to upgrade Azure AD Connect to the latest version:

  1. Upgrade Azure AD Connect
  2. Upgrade Azure AD Connect to V2.x
  3. Migrate Azure AD Connect to new server

Configure firewall

Add the below URL in the firewall allow list between Azure AD Connect server and Azure AD:

  • *.msappproxy.net over port 443

Enable modern authentication

Go through the article enable modern authentication in Microsoft 365:

  • Enable Modern Authentication in the Microsoft 365 tenant
  • Configure the registry key on the clients to support modern authentication

How to configure Azure Active Directory Single Sign-On

To configure AAD SSO, follow these steps:

Step 1. Enable Single Sign-On in Azure Active Directory Connect

To enable Azure Active Directory Single Sign-On in Azure AD Connect, follow these steps:

Sign in to Azure AD Connect server.

Start Azure AD Connect. Click on Configure.

Azure AD Connect Configure

Click on Change user sign-in. Click Next.

Azure AD Connect Change user sign-in

Fill in your Azure AD global administrator or hybrid identity administrator credentials. Click Next.

Azure Active Directory connect

Check the checkbox Enable sign sign-on. Click Next.

Azure Active Directory enable single sign-on

Enter your domain administrator account credentials. Click Next.

Azure Active Directory enable single sign-on enter domain administrator credentials

Check the checkbox Start the synchronization process when configuration completes. Click Configure.

Azure Active Directory ready to configure

Click on Exit.

Azure Active Directory configuration complete

Step 2. Verify Single Sign-On is active

Sign in to Microsoft Azure Portal.

Click on Menu > Azure Active Directory.

Azure Active Directory

Select Azure AD Connect. Verify that the Seamless single sign-on feature appears as Enabled.

Azure AD Connect Seamless Single sign-on

Start Active Directory Users and Computers. Go to the default Computers container. Verify that the computer account AZUREADSSOACC appears.

AZUREADSSOACC computer account

Note: Seamless SSO creates a computer account named AZUREADSSOACC in your on-premises Active Directory (AD) in each AD forest. The AZUREADSSOACC computer account needs to be strongly protected for security reasons. Only Domain Admins should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled and that no other account in Active Directory has delegation permissions on the AZUREADSSOACC computer account. Store the computer account in an Organization Unit (OU) where they are safe from accidental deletions and where only Domain Admins have access.

Step 3. Configure Group Policy

There are two group policies to configure. Follow the steps below:

Start Group Policy Management.

Create a new group policy or edit an existing policy.

Policy 1: Site to Zone Assignment List

Browse to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.

Double-click on Site to Zone Assignment List.

Site to Zone Assignment List

Click on Enabled to enable the policy. Then, click on Show.

Site to Zone Assignment List enable

Enter the below Azure AD URL in the zone assignments:

  • https://autologon.microsoftazuread-sso.com with value 1
Enter zone assignment

Policy 2: Allow updates to status bar via script

Browse to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone.

Double-click on Allow updates to status bar via script.

Allow updates to status bar via script

Click on Enabled to enable the policy. Then, click on Enable.

Allow updates to status bar via script enable

Step 4. SSO browsers compatibility

Suppose there are different web browsers in the organization. You need to configure settings for each browser. Read the Microsoft browser considerations section.

Test Azure Active Directory SSO

Sign in on a domain-joined computer and start the Microsoft Edge browser. Navigate to https://myapps.microsoft.com/tenant.onmicrosoft.com.

In our example, it’s https://myapps.microsoft.com/exoip365.onmicrosoft.com.

You don’t have to add the username or password; it will automatically sign in.

myapps.microsoft.com single sign-on

You did successfully configure AAD SSO in the organization.

Read more: Find Azure AD Connect accounts »

Conclusion

You learned how to configure Azure Active Directory Single Sign-On (SSO). Ensure that the organization meets the prerequisites before you set up Azure AD SSO. Always test the configuration when deployed. From now on, the users automatically sign in and don’t have to fill in their credentials whenever they connect to cloud services from their domain-joined machine.

Did you enjoy this article? You may also like Configure Azure AD Password Protection for on-premises. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 2 Comments

  1. Hi Ali,

    This is a very informative article.

    Can the AZUREADSSOACC computer object be moved from the default OU to another? As what would be the right process and requirements before doing so?

Leave a Reply

Your email address will not be published. Required fields are marked *