Single Sign-On with Azure Active Directory

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

When users are using their company-issued devices linked to your corporate network, Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) immediately signs them in. Users can sign in to Azure AD without entering their passwords or, typically, even their usernames when the feature is enabled. Without the need for any additional on-premises components, this capability gives your users simple access to your cloud-based applications.

Password hash synchronization and pass-through authentication are both sign-in options that can be used in conjunction with seamless SSO. With regard to Active Directory Federation Services, seamless SSO is not applicable (ADFS).

Comparison of Seamless SSO vs. SSO through primary refresh token

Use of SSO via primary refresh token is advised for Windows 10, Windows Server 2016, and subsequent versions (PRT). It is advised to use Seamless SSO with Windows 7 and Windows 8.1. For seamless SSO to work, the user’s device must be domain-joined; Windows 10 Azure AD joined devices and hybrid Azure AD joined devices are not supported. The Primary Refresh Token is the mechanism through which SSO on Azure AD registered, Azure AD joined, and Hybrid Azure AD registered devices operate (PRT)

SSO via PRT is functional after devices are added to Azure AD using Add Work or School Account for hybrid Azure AD joined, Azure AD joined, or personal registered devices. See Primary Refresh Token (PRT) with Azure AD for further details on how SSO functions with Windows 10 utilizing PRT.

Benefits

Outstanding user experience

  • Both on-premises and cloud-based applications require no manual user authentication.
  • Users are not required to repeatedly input their credentials.

 

Simple to implement and manage

  • There are no additional parts required on-premises for this to function.
  • Works with Password Hash Synchronization or Pass-through Authentication for any cloud authentication mechanism.
  • can be implemented using Group Policy for some or all of your users.
  • Azure AD can be used to register non-Windows 10 devices without the need for an AD FS infrastructure. You must be using the workplace-join client version 2.1 or later to access this feature.

 

Highlight features

  • The default username for on-premises users (userPrincipalName) or another property set in Azure AD Connect can be used as the sign-in username (Alternate ID). Both use cases are successful because Seamless SSO looks up the relevant user object in Azure AD using the security identifier claim from the Kerberos ticket.
  • The feature of seamless SSO is opportunistic. The user sign-in process reverts to its standard behavior, which requires the user to input their password on the sign-in page if it fails for any reason.
  • Users are automatically signed in without having to enter their username or password if an application (for instance, https://myapps.microsoft.com/xyz.com) forwards a domain hint (OpenID Connect) or whr (SAML) parameter – identifying your tenant – or login hint parameter – identifying the user – in its Azure AD sign-in request.
  • Additionally, users receive a silent sign-on experience if an application (such as https://xyz.sharepoint.com) sends sign-in requests to Azure AD’s endpoints configured as tenants, i.e. https://login.microsoftonline.com/xyz.com/..> or https://login.microsoftonline.com/tenant ID>/..>, as opposed to Azure AD’s common endpoint, i.e.
  • Withdrawal is supported. By doing this, users are given the option to sign in using a different Azure AD account rather than being signed in via Seamless SSO automatically.
  • A non-interactive flow is supported for Microsoft 365 Win32 clients (Outlook, Word, Excel, and others) with versions 16.0.8730.xxxx and higher. For OneDrive, you must enable the OneDrive silent config function in order to sign in silently.
  • Through Azure AD Connect, it may be made active.
  • You can use it without purchasing a paid license of Azure AD because it is a free feature.
  • It is supported by Office clients and web browser-based clients on systems and browsers that can handle Kerberos authentication

 

Professional Labs is the best cloud managed service provider in UAE; for more information, please contact us.
Contact Us | Professional labs (prolabsit.com)