45. How to configure Azure Active Directory Seamless Single Sign On

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone welcome to ama saptiv webcast in this video we are going to see the steps on how to configure azure active directory seamless single sign-on azure active directory seamless single sign-on automatically signs in users when they are on their corporate desktops that are connected to corporate network when it is enabled users don't need to type in their passwords to sign into azure active directory and usually even type in their usernames this feature provides your users easy access to your cloud-based applications without needing any additional on-premises components before watching this video check out the video on how to install and configure azure ready connect tool on windows server 2020 if you haven't seen that video go back and check out that video first link is given in the description area this is our domain controller named 22 hyphen dc01 for msf surat dot local domain on this domain controller we have installed and configured azure ad connect tool to perform the steps you must have access to both an on-premises administrator and an azure ad global administrator first let's check seamless single sign-on option status in azure active directory sign in to the azure portal using an account with global administrator permissions you can access azure ad portal using the url https colon double slash aad.portal.azure under manage click on as ready connect under user sign in check the status of seamless single sign-on we can confirm it is currently disabled in our azure active directory tenant so let's see how we can enable it let's go to our domain controller vm in the first step we will enable single sign-on in azure active directory connect tool click on start button click on azure ready connect and again click on azure ready connect to open the tool click on configure click on change user sign-in options after selecting change user sign-in click on next fill in your azure ad global administrator or hybrid identity administrator's credential in my case global administrator's username is already there i just need to type his password okay click next it is connecting to microsoft online to verify the user credential and permissions on user signing as you can see we are using password hash synchronization option now we want to enable single sign-on so let's select the checkbox in front of enable single sign-on if you want to know more about single sign-on then you just need to take your pointer over the symbol this option enables users on the corporate network to get a single sign-on experience when accessing cloud services from their domain join desktop machines let me select the checkbox and hit next okay to enable single sign-on we need to enter a domain administrator's accounts credential to enter it let's click on enter credentials enter your domain administrator account credentials uh in my case it is msf surat slash administrator and let's type his password click ok there should be a green box indicating your username and password are correct now let's click next okay it is checking for installed components everything is good to go make sure the checkbox is selected in front of start the synchronization process when configuration completes click on configure we need to wait for few seconds to complete the configuration process okay as you can see it is currently enabling single sign-on configuration completes let's click on exit now at this moment seamless single sign-on user sign-in option is successfully enabled in our azure active directory tenant in the second step we want to verify it so for that go back to the azure active directory admin center web interface select azure active directory in the left pane under manage click on as already connect and here we can see seamless single sign-on it is disabled so let me click on refresh it is still disabled so i'm going to refresh the entire web page and let's see what happens and now we can see it is enabled so we can confirm that seamless single sign-on is enabled in our resurrective directory for one domain let's click on seamless single sign-on we can confirm that it is enabled for our on premises domain name mfsurah.local we can see the key creation date and status information here seamless single sign-on creates a computer account named azure adsso acc in our on premises active directory in each active directory forest the azure ad sso acc computed account needs to be strongly protected from security reasons only domain admins should be able to manage that computer account to see that let's jump back to our domain controller virtual machine open active directory users and computer snapping go to the default computer's container verify that the computer account azure ad sso sse appears in our local active directory now we have successfully enabled seamless single sign-on in our azure active directory but to apply single sign-on to groups of users or computers some group policy work is required create a new group policy object that is targeted against either computers or users based on your preferences so in the third step we will create and configure group policies settings let's open group policy management console by clicking on tools and then clicking on group policy management let me expand group policy objects let's right click on group policy objects and select new type a meaningful name for the gpu i'm giving name seamless single sign on gpu click ok let's right click on seamless single sign-on gpu which we have created right now and select edit let me maximize it first we are going to modify users internet zone settings by default the browser automatically calculates the correct zone either internet or internet from a specific url browsers will not send kerberos tickets to a cloud endpoint like the azure ad url unless you explicitly as the url to the browser's internet zone so we are going to define that policy under user configuration expand policies expand administrative templates expand windows components and then you need to click on internet explorer okay here under internet explorer click on internet control panel and expand it and then click on security page now you need to double click on policy setting name site to zone assignment list let's double click on it click on enable to enable this policy setting then we need to click on show and here under value name enter the azure id url https colon double slash auto logon dot microsoft azure ad hyphen sso.com make sure you have entered the correct url https colon double slash auto logon dot microsoft azure ad hyphen sso.com then value will be 1 to specify this is the internet zone so let's type one and click on ok perfect now i'm going to click on apply and okay so we have successfully configured one policy setting name site tuzon assignment list now click on intranet zone you need to click on internet zone under security page then we need to double click on the policy settings name allow updates to status bar via script so let me click on settings here to arrange this policy settings in alphabetical order then let's find the policy settings which we are looking for this is the one allow updates to status bar via script let's double click on it select the radio button enable to enable this policy make sure under status bar updates via script it is enabled fine click on apply click ok so we have successfully configured required group policy settings now i'm going to close the group policy management editor window let's link the gpu to our ou name cloud objects so let's right click on cloud objects ou and select link an existing gpu select the gpu seamless single sign on gpu click ok to assign that gpu to ou cloud objects so the gpu has been successfully linked with rou cloud objects in the last step we'll be testing seamless single sign-on feature on our windows 10 client computer we will use the user account of our user taste user 1 which is stored under the ou cloud objects sign into a windows 10 client computer already we have signed into this computer using this test user once credential uh this windows 10 computer is part of our active directory domain msf suited local let's manually update the group policy by running command gp update slash force let's recently i think some policy issues are there with the mdm uh which we have configured in the last video uh let me exit from this and let's restart our this windows 10 computer ones okay after restart let's again assign to this windows 10 computer using the credential of our user ts21 okay we have successfully signed into this windows 10 computer now let's start the microsoft edge web browser now we are going to test seamless single sign-on feature on this windows 10 computer which we have access using the credential of artist user 1. so let's enter url azure dps colon double slash my apps dot microsoft.com and press enter key you can see you should not be required to enter a username or password it will automatically sign you in to this my apps website now let me click here on tu and you can see we are using the user account of ds201 and this is users upn user1 at msfsurat.onmicrosoft.com so we can confirm that taste user 1 has been successfully login to my app's page without entering the username and password that means azure active directory seamless single sign-on feature is working perfectly fine for us in our taste environment so that concludes the video on how to enable and configure azure active directory seamless single sign-on with azure active directory connect tool thank you all for watching this video have a nice day
Info
Channel: MSFT WebCast
Views: 18,941
Rating: undefined out of 5
Keywords: Azure Active directory tutorial for beginners, Azure Active Directory, Azure Ad, azure active directory tutorial, configure seamless sso, setup seamless sso, Azure AD Seamless Single Sign-On, How to Set Up Seamless Single Sign On in Azure, Enable Seamless Single Sign-on, Configure Azure AD Seamless SSO, Azure AD sso, microsoft 365 SSO, Azure single sign on setup, Azure AD Conenct SSO, Azure AD Connect single sign on, Setting up Single Sign On with Azure AD Connect
Id: 0WfccKib-Tc
Channel Id: undefined
Length: 13min 56sec (836 seconds)
Published: Tue Aug 02 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.