- article
Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) automatically signs users in when they use a corporate desktop connected to the corporate network. Seamless SSO gives your users easy access to cloud-based applications without using any additional on-premises components.
To deploy seamless SSO for Azure AD using Azure AD Connect, complete the steps described in the following sections.
check prerequisites
Make sure the following prerequisites are met:
Set up the Azure AD Connect server: If you usepass-through authenticationAs your login method, no other prerequisite checks are required. if you usePassword hash synchronizationAs a login method and there is a firewall between Azure AD Connect and Azure AD, make sure that:
Use Azure AD Connect version 1.1.644.0 or later.
If your firewall or proxy allows it, add the connection to your allow list
*.msappproxy.netURL on port 443. If you need a specific URL instead of a wildcard for proxy configuration, you can configuretenantid.registration.msappproxy.net, Wheretenantis the GUID of the tenant for which you configure the feature. If URL-based proxy exceptions are not possible in your organization, you can instead allow access toAzure datacenter IP ranges, updated weekly. This prerequisite only applies if you enable the Seamless SSO feature. It is not needed for direct user login.notes
- Azure AD Connect versions 1.1.557.0, 1.1.558.0, 1.1.561.0, and 1.1.614.0 have issues related to password hash synchronization. if youNoIntended to use password hash sync with pass-through authentication, check outAzure AD Connect Release Noteslearn more.
- If you have an outgoing HTTP proxy, make sure the URL
autologon.microsoftazuread-sso.comon your allowlist. You should specify this URL explicitly, as wildcards may not be accepted.
Use supported Azure AD Connect topologies: Make sure you are using one of the Azure AD Connectsupported topologies.
notes
Seamless SSO supports multiple on-premises Windows Server Active Directory (Windows Server AD) forests, regardless of whether a Windows Server AD trust exists between them.
Set Domain Admin Credentials: You must have domain administrator credentials for each Windows Server AD forest:
- Sync to Azure AD via Azure AD Connect.
- Contains the users for whom you want to enable Seamless SSO.
Enable modern authentication: To use this feature, you must enable themodern authenticationon your tenant.
Use the latest version of the Microsoft 365 client: To get a silent sign-in experience with Microsoft 365 clients such as Outlook, Word, or Excel, your users must be on version 16.0.8730.xxxx or later.
enable function
Enable seamless SSO byAzure AD Connect.
notes
If Azure AD Connect doesn't meet your requirements, you canEnable Seamless SSO Using PowerShell.Use this option if you have multiple domains in each Windows Server AD forest and you want to set the target domain to enable Seamless SSO.
if you are doing aFresh install of Azure AD Connect, choosecustom installation path.existUser loginpage, chooseEnable single sign-onoption.
notes
Only if the selected login method isPassword hash synchronizationorTransparent authentication.
if youAlready installed Azure AD Connect, existAdditional tasks, choosechange user login, and selectNext.If you are using Azure AD Connect version 1.1.880.0 or later, thenEnable single sign-onoption is selected by default. If you are using an earlier version of Azure AD Connect, selectEnable single sign-onoption.
Continue through the guide to reachEnable single sign-onPage. Provide domain administrator credentials for each Windows Server AD forest:
- Sync to Azure AD via Azure AD Connect.
- Contains the users for whom you want to enable Seamless SSO.
After completing the wizard, Seamless SSO will be enabled on your tenant.
notes
Domain administrator credentials are not stored in Azure AD Connect or Azure AD. They are only used to enable that functionality.
To verify that you have seamless SSO enabled correctly:
- Log inAzure PortalUse your tenant's hybrid administrator account credentials.
- In the left menu, selectAzure Active Directory.
- chooseAzure AD Connect.
- verifySeamless single sign-onis set toenable.
important
Seamless SSO creates a file namedAZURADSSOACCIn each Windows Server AD forest in the local Windows Server AD directory. thisAZURADSSOACCFor security reasons, computer accounts must be strictly protected. Only domain administrator accounts should be allowed to manage computer accounts. Make sure that Kerberos delegation is disabled on the computer account and that no other accounts in Windows Server AD have delegation permissionsAZURADSSOACCcomputer account. Store computer accounts in an organizational unit so they cannot be accidentally deleted and only domain administrators can access them.
notes
If you are using the Pass-the-Hash and Credential Theft Mitigation architecture in your local environment, make the appropriate changes to ensureAZURADSSOACCComputer accounts do not end up in isolated containers.
roll out feature
You can gradually roll out Seamless SSO to your users using the instructions provided in the next section. First, add the following Azure AD URL to all or selected user intranet zone settings via Group Policy in Windows Server AD:
https://autologon.microsoftazuread-sso.com
You must also enable theAllow updating the status bar via scriptVia Group Policy.
notes
The instructions below apply only to Internet Explorer, Microsoft Edge, and Google Chrome on Windows (if Google Chrome shares a set of trusted site URLs with Internet Explorer). Learn how to set it upFirefox browserandGoogle Chrome on macOS.
Why do you need to modify the user intranet area settings?
By default, browsers automatically calculate the correct zone for a particular URL, whether it's Internet or Intranet. For example,http://contoso/map toIntranetdistrict, andhttp://intranet.contoso.com/map tothe Internetzone (because the URL contains periods). Browsers don't send Kerberos tickets to cloud endpoints, such as Azure AD URLs, unless you explicitly add the URL to the browser's intranet zone.
You can modify user intranet locales in two ways:
| options | admin consideration | user experience |
|---|---|---|
| Group Policy | Admin locks editing of intranet zone settings | Users cannot modify their own settings |
| Group Policy Preferences | Admin Allows Editing Intranet Zone Settings | Users can modify their own settings |
Group policy detailed steps
Open the Group Policy Management Editor tool.
Edit Group Policy that applies to some or all users. This example usesdefault domain policy.
gouser configuration>policy>Administrative Templates>widget>Internet Explorer>internet control panel>security page.chooseSite-to-Zone Assignment List.
Enable the policy and enter the following values in the dialog:
value name: The Azure AD URL to forward the Kerberos ticket to.
value(data):1Indicates the intranet area.
The result is similar to this example:
Value name:
https://autologon.microsoftazuread-sso.comValue (data): 1
notes
If you want to prevent certain users from using seamless SSO (for example, if those users log into a shared kiosk), set the preceding value to4.This action adds the Azure AD URL to the restricted zone and Seamless SSO for the user always fails.
(Video) Configuring an Enterprise Application for Single Sign-onchooseOK, and selectOKagain.
gouser configuration>policy>Administrative Templates>widget>Internet Explorer>internet control panel>security page>Intranet area.chooseAllow updating the status bar via script.
Enable the policy setting, and selectOK.
Group Policy Preferences Detailed Steps
Open the Group Policy Management Editor tool.
Edit Group Policy that applies to some or all users. This example usesdefault domain policy.
gouser configuration>priority>Windows settings>registration form>new>registry key.
Enter or select the following values as shown, then selectOK.
Critical Path:软件\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoftazuread-sso.com\autologon
value name: https
value type: REG_DWORD
value data: 00000001
Browser Considerations
The next sections contain information about Seamless SSO specific to different types of browsers.
Mozilla Firefox (all platforms)
If you are usingverifypolicy setting in your environment, make sure to add the Azure AD URL (https://autologon.microsoftazuread-sso.com) arriveSPNEGOpart. You can also setprivate browsingoptionrealAllow seamless SSO in private browsing mode.
Safari (macOS)
Make sure the computer running macOS is joined to Windows Server AD.
Instructions for joining macOS devices to Windows Server AD are outside the scope of this article.
Chromium-based Microsoft Edge (all platforms)
if you have coveredAuthNegotiateDelegateAllowlistorAuthorization Server Whitelistpolicy setting in your environment, make sure you also add the Azure AD URL (https://autologon.microsoftazuread-sso.com) to these policy settings.
Chromium-based Microsoft Edge (macOS and other non-Windows platforms)
For Chromium-based Microsoft Edge on macOS and other non-Windows platforms, seeMicrosoft Edge based Chromium policy listInformation on how to add the Azure AD URL used for integrated authentication to the allow list.
Google Chrome (all platforms)
if you have coveredAuthNegotiateDelegateAllowlistorAuthorization Server Whitelistpolicy setting in your environment, make sure you also add the Azure AD URL (https://autologon.microsoftazuread-sso.com) to these policy settings.
Apple system
Using a third-party Active Directory Group Policy extension to push out Azure AD URLs to Firefox and Google Chrome for macOS users is beyond the scope of this article.
Known browser limitations
Seamless SSO does not work on Internet Explorer if the browser is running in Enhanced Protected Mode. Seamless SSO supports the next Chromium-based version of Microsoft Edge, and it works in both InPrivate and Guest modes by design. Microsoft Edge (legacy) is no longer supported.
You may need to configureAmbientAuthenticationInPrivateModesEnabledFor InPrivate or guest users based on appropriate documentation:
- microsoft edge chrome
- Google Chrome
Test Seamless SSO
To test the feature for a specific user, make sure all of the following are true:
- A user logs in on a corporate device.
- The device is joined to your Windows Server AD domain. deviceNoneedJoin Azure AD.
- The device connects directly to your domain controller through a corporate wired or wireless network or through a remote access connection such as a VPN connection.
- You haveroll out featureSent to this user via Group Policy.
To test a scenario where the user enters a username instead of a password:
- login tohttps://myapps.microsoft.com.Be sure to clear your browser cache or use a new private browser session with any supported browser in private mode.
To test a scenario where the user does not have to enter a username or password, use one of the following steps:
- login to
https://myapps.microsoft.com/contoso.onmicrosoft.com.Be sure to clear your browser cache or use a new private browser session with any supported browser in private mode. replacecontosowith your tenant name. - login to
https://myapps.microsoft.com/contoso.comIn a new private browser session. replacecontoso.comUse a verified domain (not a federated domain) on your tenant.
flip key
existenable function, Azure AD Connect creates computer accounts (on behalf of Azure AD) in all Windows Server AD forests where seamless SSO is enabled. For more information, seeAzure Active Directory Seamless Single Sign-On: A Technical Deep Dive.
important
A compromised Kerberos decryption key on a computer account could be used to generate Kerberos tickets for any user in its Windows Server AD forest. Malicious actors can then impersonate an Azure AD login for the infected user. We strongly recommend that you update these Kerberos decryption keys regularly, or at least every 30 days.
For instructions on how to roll over keys, seeAzure Active Directory Seamless Single Sign-On: Frequently Asked Questions.
important
you don't need to do this stepInstantlyAfter enabling this feature. Renew the Kerberos decryption key at least every 30 days.
Next step
- technical deep dive: Learn how the seamless single sign-on feature works.
- frequently asked questions: Get answers to frequently asked questions about seamless single sign-on.
- Troubleshooting: Learn how to troubleshoot common issues with the Seamless Single Sign-On feature.
- user voice: Submit new feature requests using the Azure Active Directory forum.
FAQs
Does Azure AD provide single sign-on? ›
Single sign-on with Azure AD
Enabling SSO with Azure Active Directory (Azure AD) means users can sign-in once to access their Microsoft apps and other cloud, SaaS, and on-premises apps with the same credential.
Single sign on (SSO) is an authentication method that lets you use a single username and password to access multiple applications. Seamless SSO occurs when a user is automatically signed into their connected applications when they're on corporate desktops connected to the corporate network.
How do I use Azure Active Directory with AWS SSO? ›Within the Azure Active Directory overview menu, choose Enterprise Applications > All applications. Select New application to add an application. In the Add from the gallery section, type AWS Single-Account Access in the search box. Select AWS Single-Account Access from results panel and then add the app.
How do I know if seamless SSO is enabled? ›Check status of feature
Ensure that the Seamless SSO feature is still Enabled on your tenant. You can check the status by going to the Azure Active Directory > Azure AD Connect pane in the Azure portal. Click through to see all the AD forests that have been enabled for Seamless SSO.
- Add the application from the Azure Marketplace.
- Select Single sign-on.
- Select Enable single sign-on.
- Populate the mandatory configuration values in the Basic SAML Configuration section.
With federated single sign-on, Azure AD authenticates the user to the application by using their Azure AD account. This method is supported for SAML 2.0, WS-Federation, or OpenID Connect applications. Federated SSO is the richest mode of SSO.
Do you need Azure AD premium for SSO? ›Azure AD licensing - SSO for pre-integrated enterprise applications is free. However, the number of objects in your directory and the features you wish to deploy may require more licenses.
How does Azure Active Directory Single Sign-on work? ›Azure AD decrypts the Kerberos key, using a key which is shared with Azure AD when Azure AD Seamless SSO is initially configured. If the ticket is valid, Azure AD grants access and returns an authentication token to the browser. The user can now log into the business application without re-entering a password.
What are 3 benefits of SSO? ›Some of the key benefits of SSO authentication for IT administrators and other IT team members include user adherence to password rules, user password reset call reduction, and administrative ability to track and control application access.
Does Azure AD SSO use SAML? ›Azure AD: Enterprise cloud IdP that provides SSO and Multi-factor authentication for SAML apps. It synchronizes, maintains, and manages identity information for users while providing authentication services to relying applications.
What is the difference between Active Directory and Azure AD? ›
Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider and it can't be used for other purposes to gain backdoor access. Active Directory doesn't natively support mobile devices without third-party solutions.
Do you need Active Directory for SSO? ›So, the short answer to the question of whether you need both AD and SSO is no — you don't specifically need both AD and an SSO solution.
What is a seamless SSO? ›Seamless Single Sign-on (SSSO) is a feature of Azure AD Connect which can be used in conjunction with password hash synchronization (PHS) or pass-through authentication (PTA). Each of these alone provides “same sign-on”, but with SSO in use as well, users will often experience true single sign on.
How do I disable SSO in Azure AD? ›Disabling your configuration
If you disable your SSO configuration, users can access your organization without SSO authentication. Select the ellipsis (… ) next to your active configuration. Select Disable.
- Sign in to your Google Admin console. ...
- In the Admin console, go to Menu Security. ...
- In Third-party SSO profile for your organization, click Add SSO profile.
- Check the Set up SSO with third-party identity provider box.
- Log in to Azure AD as a Global Admin in the Microsoft Azure portal.
- Go to the Azure Active Directory tab > Enterprise application.
- Click New application.
- Click Create your own application.
- Enter a name and then click Integrate any other application you don't find in the gallery (Non-gallery).
What is Microsoft Entra? Microsoft Entra a family of products that encompasses all identity and access capabilities. Within the Entra family are products such as Microsoft Azure Active Directory (Azure AD), Microsoft Entra Verified ID, and Microsoft Entra Permissions Management.
How to implement SSO in application? ›SSO implementation revolves around a central server. All applications trust this main server and use it to access your login credentials. When you first log in, the server creates a cookie with your details. When you access a new application, you get redirected to this central server.
Which three authentication methods can Azure AD users use? ›- Microsoft Authenticator.
- Authenticator Lite (in Outlook)
- Windows Hello for Business.
- FIDO2 security key.
- OATH hardware token (preview)
- OATH software token.
- SMS.
- Voice call.
Azure AD Free offers basic SSO functionality that's essential for organizations using AD to access Microsoft's portfolio of cloud services.
Does Azure SSO use LDAP? ›
To communicate with your Azure Active Directory Domain Services (Azure AD DS) managed domain, the Lightweight Directory Access Protocol (LDAP) is used. By default, the LDAP traffic isn't encrypted, which is a security concern for many environments.
Does Azure SSO require MFA? ›Yes. Azure AD Multi-Factor Authentication is required at sign-in.
What licensing is required for Azure AD join? ›It's important to note that if you want to use the device management features to join your computers to Azure AD, you'll need to have a Windows 10 Pro, Enterprise or Education edition device, and you need to run the Azure AD Join process on each device.
What are the licensing requirements for Azure Active Directory? ›Licensing requirements
Paid or trial subscription for Azure AD Premium P1 and above. Paid or trial edition of Microsoft 365 Business Premium or Office 365 Enterprise E3 or Office 365 A3 or Office 365 GCC G3 or Office 365 E3 for GCCH or Office 365 E3 for DOD and above.
With SSO, a user logs in once, and gains access to all systems without being prompted to log in again at each of them. Active Directory (AD) is a directory service that provides a central location for network administration and security.
What is the benefit of single sign-on Azure AD? ›Azure AD's SSO feature enables users to login to multiple applications via a single pane, which includes both SaaS and on-premises applications. The SSO feature makes it easier for administrators to add new users and services without needing to set up credentials or security groups for each application or service.
Is SSO authentication or authorization? ›Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.
Is SSO more secure than MFA? ›The user experience of single sign-on (SSO), two-factor authentication (2FA) and multi-factor authentication (MFA) is a much smoother and more secure experience for users. SSO allows users to log in to multiple sites and applications with just one set of credentials.
What is the difference between federated SSO and enterprise SSO? ›The key difference between SSO and FIM is while SSO is designed to authenticate a single credential across various systems within one organization, federated identity management systems offer single access to a number of applications across various enterprises.
What is the risk in SSO? ›If a user successfully logs in via SSO and falls prey to a phishing attack, there is not always a simple solution. The attacker gets access to all the endpoints of the external applications within the cloud that the user is provisioned for. If the attack is detected, the user account can be disabled.
Is SSO better for security? ›
With SSO, passwords are never reused between accounts, and token-based authentication ensures that the secure tokens are only valid for each individual session, making it impossible for hackers to leverage previously compromised credentials to attack other areas of the network in future.
What is the difference between seamless SSO and hybrid join? ›Unlike Hybrid Join, Azure AD Seamless SSO flips things around, and essentially provides the ability for Azure AD to participate in Active Directory, not from an authentication provider perspective, but as a member computer object.
How does Enterprise SSO work? ›Enterprise Single Sign-On (SSO) provides services to enable single sign-on for end users in enterprise application integration (EAI) solutions. The SSO system maps Microsoft Windows accounts to back-end credentials. SSO simplifies the management of user IDs and passwords, both for users and administrators.
Does SSO increase security? ›Security and compliance benefits of SSO
SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials.
Single sign-on (SSO) is an identification method that enables users to log in to multiple applications and websites with one set of credentials. SSO streamlines the authentication process for users.
What is the difference between Azure SSO and LDAP? ›What is the difference between SSO and LDAP? SSO is a convenient authentication method that allows users to access multiple applications and systems using just one login. LDAP is the protocol or communication process that will enable users to access a network resource through a directory service.
What is the difference between SSO and SAML? ›SAML is the standard through which SPs and IdPs communicate with each other to verify credentials. SSO is an authentication process intended to simplify access to multiple applications with a single set of credentials. SAML improves security by unburdening SPs from having to store login credentials.
What is the difference between SAML and OAuth in Azure Active Directory? ›SAML supports Single Sign-On while also supporting authorization by the Attribute Query route. OAuth is focused on authorization, even if it is frequently coerced into an authentication role, for example when using social login such as “sign in with a Facebook account”. Regardless, OAuth2 does not support SSO.
What are the 4 types of Microsoft Active Directory? ›- Active Directory (AD) Microsoft Active Directory (most often referred to as a domain controller) is the de facto directory system used today in most organizations. ...
- Azure Active Directory (AAD) ...
- Hybrid Azure AD (Hybrid AAD) ...
- Azure Active Directory Domain Services (AAD DS)
Simply, no. Azure AD cannot fully replace Active Directory. The cloud-specific Azure AD can work for organizations with zero on-premises infrastructure, but not without losing security.
What are the different types of Azure Active Directory? ›
Azure Active Directory comes in four editions—Free, Office 365 apps, Premium P1, and Premium P2. The Free edition is included with a subscription of a commercial online service, e.g. Azure, Dynamics 365, Intune and Power Platform.
Which is better LDAP or SSO? ›Integration: LDAP will usually be more recognizable to users across different applications. For example, using an SSO system will allow a user to access multiple platforms with web portals. LDAP, however, might be a key technology that syncs email contacts in an email client.
What is the difference between ADFS and Azure AD SSO? ›Both Microsoft tools share SSO-like properties, and they each need to work in tandem with on-prem Active Directory (although Azure AD could possibly be used without). The key difference is that AAD is an identity and access management (IAM) solution while AD FS is a security token service (STS).
Can I bypass SSO? ›Create a dedicated access rule for the user/IP so that SSO authentication cannot be triggered. 2. Add SSO Service/Address bypass object under Users | Settings | Configure SSO | Enforcement tab.
What is seamless single sign-on Azure? ›Azure Active Directory Seamless single sign-on (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames.
What sign in methods do ad connect seamless SSO work with? ›Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods.
How to implement single sign-on with Windows Azure Active Directory in asp net? ›Create an ASP.NET app that uses Azure AD for single sign-on
To change that to Azure AD, you click a Change Authentication button. Select Organizational Accounts, enter your domain name, and then select Single Sign On. You can also give the app read or read/write permission for directory data.
Azure Active Directory supports two modes for single sign-on, which are federation-based and password-based.
What is the difference between Azure SSO and AD? ›With password-based SSO, users sign in to the application with a username and password the first time they access it. After the first sign-on, Azure AD provides the username and password to the application.
What is the difference between Azure AD and Azure SSO? ›Azure AD is designed to manage access to cloud-based applications and servers using modern authentication protocols such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. Azure AD Single Sign-On (SSO) is an Azure AD feature that allows users to conveniently log into SaaS applications.
How does Active Directory work with SSO? ›
In AD Mode, to get the user credentials, the SSO Agent makes a NetWkstaUserEnum call to the client computer over TCP port 445. The SSO Agent then uses the information it gets to authenticate the user for SSO. The SSO Agent uses only the first answer it gets from the computer.
How do I integrate SSO login? ›- One endpoint initiates a build up authentication request and redirects the user to the login form, while it sends base64 encoded login request data.
- Another endpoint accepts and receives a SAML response after a successful login process.
For example, if the email address retrieved during the SSO process is abc@somesite.com, the same should be in the service application. The most straightforward way to test this is to use a set of valid and invalid account information and use SSO to sign in.
How do I use Azure Active Directory credentials to sign into my computer? ›Open Settings, and then select Accounts. Select Access work or school, and then select Connect. On the Set up a work or school account screen, select Join this device to Azure Active Directory. On the Let's get you signed in screen, type your email address (for example, alain@contoso.com), and then select Next.
Is Microsoft Azure Active Directory can be integrated with on-premises Active Directory to allow single sign on? ›You only need to set up single sign-on (SSO) between your on-premises directory and Azure AD. As long as you access your cloud applications through Azure AD, the service automatically drives your users to correctly authenticate with their on-premises credentials.
How to use Windows authentication with Active Directory in asp net? ›You need to disable the "Anonymous Authentication" and Enable the "Windows Authentication". and right click your application -> Manage Application -> Browse. Here you need to give your windows user name and password. (the credentials you're given when you log in to your machine).
What is the difference between AD FS and SSO? ›AD FS and SSO, however, are very similar. Both solutions federate on-prem identities to cloud applications, filling a great need in modern identity management. Their core differences lie in the fact that AD FS exists on-prem while most modern SSO tools now live almost exclusively on the web.