You want to enable Azure AD Multi-Factor Authentication. There is a per-user MFA and Conditional…
You installed Azure AD Connect and want to configure Azure Active Directory Single Sign-On (SSO). It’s a great feature so that users can get a seamless single sign-on experience when accessing cloud services from their domain-joined desktop machines. In this article, you will learn how to set up Azure Active Directory Single Sign-On.
Table of contents
- Azure Active Directory Single Sign-On prerequisites
- How to configure Azure Active Directory Single Sign-On
- Test Azure Active Directory SSO
Azure Active Directory Single Sign-On prerequisites
Before you start to enable the feature Azure Active Directory Single Sign-On, you have to check that the organization meets the AAD SSO prerequisites.
Install Azure AD Connect
You need to install and configure Azure AD Connect before you proceed further. If you already have Azure AD Connect in the organization, we recommend you upgrade to the latest Azure AD Connect version. See the next step.
Upgrade Azure AD Connect to latest version
The below articles will help you to upgrade Azure AD Connect to the latest version:
Add the below URL in the firewall allow list between Azure AD Connect server and Azure AD:
- *.msappproxy.net over port 443
Enable modern authentication
Go through the article enable modern authentication in Office 365 admin center:
- Enable Modern Authentication in the Microsoft 365 tenant
- Configure the registry key on the clients to support modern authentication
How to configure Azure Active Directory Single Sign-On
To configure AAD SSO, follow these steps:
Step 1. Enable Single Sign-On in Azure Active Directory Connect
To enable Azure Active Directory Single Sign-On in Azure AD Connect, follow these steps:
Sign in to Azure AD Connect server.
Start Azure AD Connect. Click on Configure.
Click on Change user sign-in. Click Next.
Fill in your Azure AD global administrator or hybrid identity administrator credentials. Click Next.
Check the checkbox Enable sign sign-on. Click Next.
Enter your domain administrator account credentials. Click Next.
Check the checkbox Start the synchronization process when configuration completes. Click Configure.
Click on Exit.
Step 2. Verify Single Sign-On is active
Sign in to Microsoft Azure Portal.
Click on Menu > Azure Active Directory.
Select Azure AD Connect. Verify that the Seamless single sign-on feature appears as Enabled.
Start Active Directory Users and Computers. Go to the default Computers container. Verify that the computer account AZUREADSSOACC appears.
Note: Seamless SSO creates a computer account named AZUREADSSOACC in your on-premises Active Directory (AD) in each AD forest. The AZUREADSSOACC computer account needs to be strongly protected for security reasons. Only Domain Admins should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled and that no other account in Active Directory has delegation permissions on the AZUREADSSOACC computer account. Store the computer account in an Organization Unit (OU) where they are safe from accidental deletions and where only Domain Admins have access.
Step 3. Configure Group Policy
There are two group policies to configure. Follow the steps below:
Start Group Policy Management.
Create a new group policy or edit an existing policy.
Policy 1: Site to Zone Assignment List
Browse to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.
Double-click on Site to Zone Assignment List.
Click on Enabled to enable the policy. Then, click on Show.
Enter the below Azure AD URL in the zone assignments:
- https://autologon.microsoftazuread-sso.com with value 1
Policy 2: Allow updates to status bar via script
Browse to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone.
Double-click on Allow updates to status bar via script.
Click on Enabled to enable the policy. Then, click on Enable.
Step 4. SSO browsers compatibility
Suppose there are different web browsers in the organization. You need to configure settings for each browser. Read the Microsoft browser considerations section.
Test Azure Active Directory SSO
Sign in on a domain-joined computer and start the Microsoft Edge browser. Navigate to https://myapps.microsoft.com/tenant.onmicrosoft.com.
In our example, it’s https://myapps.microsoft.com/exoip365.onmicrosoft.com.
You don’t have to add the username or password; it will automatically sign in.
You did successfully configure AAD SSO in the organization.
Read more: Find Azure AD Connect accounts »
You learned how to configure Azure Active Directory Single Sign-On (SSO). Ensure that the organization meets the prerequisites before you set up Azure AD SSO. Always test the configuration when deployed. From now on, the users automatically sign in and don’t have to fill in their credentials whenever they connect to cloud services from their domain-joined machine.
Did you enjoy this article? You may also like Configure Azure AD Password Protection for on-premises. Don’t forget to follow us and share this article.