Azure AD SSO: the Basics and a Quick Start Tutorial
What Is Azure AD SSO?
Azure Active Directory (Azure AD) is an identity and access management (IAM) service for Microsoft’s Azure cloud. Azure AD offers a single sign-on (SSO) feature that automatically signs users into devices, applications, and networks in the company domain.
One of the big features available when you enable Azure Active Directory Seamless Single Sign-On, is that users don’t have to enter a password every time they want to use a cloud-based application. In some cases, users don’t even have to enter a username. The advantage of this feature is that it doesn’t require any on-premise components, improves convenience for users, and enhances security.
How Does Azure AD SSO Work?
When you enable Azure AD SSO, you create the following workflow:
- Your on-premises AD creates an SSO computer account for every forest (domain tree collection) synced to AD via Azure AD Connect.
- Azure AD creates several Kerberos service principal names (SPNs) used for the sign-in process.
- Azure AD securely shares the Kerberos decryption key for the SSO account. If you have multiple Active Directory forests, each forest has a computer account with a unique decryption key.
The SSO account—AZUREADSSOACC—requires strong protection to ensure security. Only domain administrators should have the ability to manage an AD computer account. Once you’ve completed the setup, Seamless SSO functions like any sign-in feature using integrated Windows authentication (IWA).
Related content: Read our guide to Azure AD Domain Services
Azure SSO with Password Hash Synchronization
You can combine Seamless SSO with the password hash synchronization technique. This sign-in method supports hybrid identities. Azure AD Connect can synchronize hashes (encrypted outputs) of user passwords from on-prem AD instances to cloud AD instances in Azure cloud.
Related content: Read our guide to Azure AD Connect
Password hash synchronization extends the Azure AD Connect directory synchronization capabilities. It lets you sign in to Azure Active Directory services such as Microsoft 365. You use the same password for the on-premise AD instance to sign in to the cloud-based service.
Password hash syncing helps reduce the number of passwords you need to manage—each user can rely on a single password to access all your Azure services. Benefits of password hash synchronization include higher user productivity (due to less time spent trying to access services) and reduced tech support costs.
Azure SSO with Pass-Through Authentication
Azure Active Directory offers pass-through authentication, allowing users to sign in to on-premise and cloud-based apps and services with the same passwords without having to reauthenticate. This feature helps improve user experience with fewer passwords to remember. It also helps you save on IT help desk costs, given the lower likelihood of a user forgetting a password or encountering an issue when attempting to sign in.
The pass-through authentication feature directly validates passwords based on your on-prem AD when a user signs in to Azure AD. It offers an alternative to the password hash synchronization feature that enables cloud-based authentication. Pass-through authentication might be better for your organization if you prefer to enforce your on-premise AD password and security policies.
Azure Active Directory lets you use pass-through authentication combined with Seamless SSO, enabling users to access applications on company devices or in the corporate network without typing in a password.
Azure AD Single Sign-On Options
There are various ways to configure applications for single sign-on, depending on the type of application and authentication method. You should choose your SSO method based on how you configure your application.
You can use password-based, linked, OAuth, OpenID Connect, or SAML SSO protocols for a cloud application. You can also disable SSO for your cloud-based app.
You can use password, header-based, or IWA SSO protocols for an on-premise application. These options work with applications configured for an application proxy.
Related content: Read our guide to Azure AD application proxy
You can choose one of the following SSO protocols:
- Password-based SSO—use this option, also called password vaulting, if your application has HTML sign-in. Password-based SSO lets you manage access permissions and user passwords for web apps that don’t allow identity federation. It works well for use cases that require multiple users to share the same account (e.g., a corporate social media account). This option supports applications requiring different fields from the standard password and username or multiple sign-in fields. The password and username fields have customizable labels displayed on the My Apps page (when users enter their credentials).
- Header-based SSO—use this protocol for applications that perform authentication using headers.
- Linked SSO—use this option for applications with an SSO configuration from a third-party identity provider. The linked SSO protocol allows you to configure a target location when users select your application in the company portal. It lets you add links to custom web apps that use federation (i.e., Active Directory Federation Services) or web pages you want to display on the user access panels. You can also link to applications that don’t require authentication. Note that this option does not provide SSO functionality using Azure AD credentials.
- OAuth—if your application supports OAuth (2.0), this may be a good option (for web apps).
- OpenID Connect—this protocol only works with certain applications. See Microsoft’s identity platform for further information.
- SAML—this SSO protocol is the best option for legacy applications that don’t support OAuth or OpenID Connect.
- Integrated Windows Authentication (IWA)—use this protocol for applications with claims awareness or that require IWA.
- Disabled SSO—you might disable SSO if your application is not ready for SSO configuration.
Azure AD SSO Setup
Follow these steps to set up Azure Active Directory Single Sign-On:
Step 1: Prepare the Prerequisites
Check that you have these prerequisites in place:
- You have set up the Azure AD Connect server
- You use a topology supported by Azure AD Connect
- You have set up the domain administrator’s credentials
- You have enabled modern authentication features on the tenant
- You are using the latest Microsoft 365 client versions
Step 2: Enable SSO
Enable the Seamless SSO feature using Azure AD Connect. If you want to install Azure AD Connect, you should select the custom installation path.
Go to the user sign-in page and select Enable single sign-on.
If you’ve already installed Azure AD Connect, choose Change user sign-in and click on Next. In new versions (1.1.880.0 or later) of Azure AD Connect, it selects the Enable single sign-on option by default. In older versions, you need to select Enable single sign-on.
Go through the installation wizard until it directs you to the Enable single sign-on page. Enter the credentials for domain administrator for every Active Directory forest that you sync to Azure AD with Azure AD Connect, or that contains users that you want to grant SSO access.
When the wizard completes, Azure AD enables Seamless SSO on your tenant.
Verify that Seamless SSO is properly enabled using these steps:
- Sign in to the admin center in Azure AD with your tenant’s global admin credentials.
- Select the Azure Active Directory option to the left of the page.
- Select Azure AD Connect.
- Check if you can see Enabled next to the Seamless single sign-on.
Extend Azure SSO to Business Critical Applications with Pathlock
Pathlock is the leader in Access Governance for business-critical applications. Staying compliant with Sarbanes-Oxley is a critical business requirement, and Pathlock Control helps to automate the compliance process. As a MISA member, Pathlock can bring these capabilities to users of Azure Active Directory, with tight integration between the solutions.
Customers rely on Pathlock to streamline critical processes like fine-grained provisioning, separation of duties, and detailed user access reviews. With Pathlock’s out-of-the-box integration to Azure Active Directory, customers can enjoy the best of both worlds, including:
- Coverage for the leading business applications, with support for key applications like SAP, Oracle, Workday, Dynamics365, Salesforce, and more
- Perform compliant provisioning at a transaction code or function level into both cloud and on-premise applications
- Define Separation of Duties (SOD) rules, both within an application and across them, and enforce them to prevent access risks and stay compliant
- Enrich User Access Reviews (UARs) with fine-grained entitlement details and usage about transactions performed with specific access combinations
Interested to learn more about the winning combination of Pathlock and Azure Active Directory? Request a demo today to see the solution in action!