What is Azure Active Directory Seamless SSO | A step by step demo to configure Azure AD Seamless SSO

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys I hope you all are doing well and welcome to the next video of this series of azure active directory in the last video we talked about hybrid Azure ad joint devices in this particular video we are going to talk about Azure ad seamless single sign-on or Azure ad SSO we will discuss what is azure adsso how does it work what are the prerequisites for using this feature and I will demonstrate to you how to configure Azure ad seamless single sign-on feature in Azure active directory if you go by definition Azure ad seamless SSO is a feature of azure active directory that allows users to log into the applications without their usernames and passwords when this feature is enabled and when users are using domain join machines users are automatically logged into the on-premise applications as well as Cloud applications Azure ad seamless SSO is enabled using Azure ready connect if we talk about benefits of azure ad SSO this feature is very easy to deploy if you want to enable Azure adsso you do not need any additional components in on-premise you can configure Azure ID SSO if you are using password hash synchronization or pass-through authentication both Cloud authentication methods are supported and you can roll out this feature to a set of users or to all the users using group policy so let's understand how Azure ad SSO works when you enable seamless SSO using Azure ID connect it creates a computer account object in on-premise active directory with name Azure adssoacc that stands for Azure adsso account this account represents Azure active directory in addition to this a Kerberos service principle name is also created and this SPN is used during Azure ad sign-in process so let's understand the process how a user is authenticated using Azure ad seamless SSO let's assume a user is trying to access photo.office.com from a domain joined machine then Azure active directory will send a challenge to the browser using the JavaScript that runs in the background this challenge is sent over 401 unauthorized response and Azure ad will ask to provide a Kerberos ticket in The Next Step the browser will request a ticket from active directory for Azure ad SSO account then active directory will locate the computer account object it will create a Kerberos ticket it will encrypt this ticket using secret key of azure ad SSO account and will send the curbless ticket to the browser then browser will forward this Kerberos ticket to Azure active directory Azure active directory will decrypt the Kerberos ticket it will evaluate the identity that is included within Kerberos ticket and after the evaluation process Azure ad will send a token to the application and user will get access to the application so in this entire process the end user didn't enter his username or password he simply typed portal.office.com in browser in domain join machine and he was logged in so this is how Azure ad seamless SSO works now let's talk about prerequisites for using Azure ad seamless SSO you need to set up Azure ready connect server using either password hash synchronization or pass through Authentication you need to make sure that you are using the latest version of azure ID connect you need admin credentials for Office 365 Challenge and on-premise active directory before you enable Azure ad seamless SSO make sure modern authentication is enabled in your tenant and if you want to use SSO feature with Microsoft 365 clients like Outlook word or axle make sure you are using the latest version of these clients now let's move towards our lab and let's configure Azure ad seamless SSO this is the domain controller that I will be using in this particular demo I have installed Azure ad connect but seamless SSO is not enabled yet and I have this client machine Windows 10 machine this particular machine is domain joint this is Joint to on-premise active directory domain and I have enabled modern authentication in my channel if you want to know how to enable modern authentication I will share the Powershell commands in comments section and you can go through it so in order to enable Azure ad seamless SSO you will go to Azure ad connect wizard on the welcome page you will click configure and then you will select change user sign in Click next here type the password for Office 365 Global administrator under user sign in page you can see password hash synchronization is enabled already and in order to enable seamless single sign-on you will click enable single sign-on check this option and then click next on the page where it says enable single sign-on you will click enter credentials and here you need to type the credentials for domain administrator of active directory so once the credentials are verified click next and then click configure so it says configuration complete provide your users a single sign-on experience by configuring seamless SSO through group policy we will talk about this later first let's click exit and let's go to Azure active directory and let's verify if seamless SSO is enabled in Azure active directory you will go to Azure ready connect and here we can see seamless single sign-on is enabled now let's go back to active directory let's minimize the browser next we need to create a group policy in on-premise active directory to roll out the seamless SSO to the users now this is my test environment and I have only one client machine so I can enable this feature without Group Policy I can simply go to the client machine and I can add the URL within the Internet Explorer settings but let's say this is production environment and we have thousands of machines or maybe more than that so making all these changes on each machine one by one is not feasible so that is why we need to create a group policy so let's go to group policy management and under here you will expand your Forest click on domains expand your domain name and then right click default domain policy and click edit under user configuration you will expand policies expand administrative templates Windows components Internet Explorer and look for internet control panel and then click security page on the right side you will look for site to Zone assignment list double click on this policy enable this policy and here you will click on show next to enter the Zone assignments here and here you need to type a URL and the URL that you need to type is https colon slash slash Auto logon Dot Microsoft Azure 80 hyphen sso.com this is the URL that you need to add and the value for this URL will be one so it's https colon slash slash Auto logon dot Microsoft azure adhyphen sso.com once you are done click on OK make sure the policy is enabled click apply click OK if you want to verify you can double click on the policy make sure policy is enabled click on show you can see the URL is added and the value is added as well so click on OK OK and next expand security page and then click intranet Zone on the right side you will look for a value that says allow updates to status bar allow updates to status bar via script double click on this policy and click enabled apply and okay so this part is done now let's go back and expand preferences Windows settings and right click on registry click on new and click registry item now here you need to update certain values and you can find those values from an article that is for enable Azure ad SSO open this article and these are the values that you need to update so first copy the path paste the path here next to key path default will be https value type will be reg d word and you can copy the value from here paste it here and click apply and ok so this part is done as well now let's go to command prompt run GP update slash Force so the computer policy and user policy are updated successfully so now Azure it is seamless SSO is rolled out to the clients now let's go to the client machine and let's test this feature in this particular machine I'm logged in with one of the on-premise accounts and this account is getting synchronized to Azure active directory before you test seamless SSO on client machines make sure that particular machine is joined to your on-premise domain and the Machine can contact the domain controller if you want to check the connectivity between client machine and the domain controller you will go to command prompt and here you can ping either the hostname of the domain controller or the IP address of the domain controller for my case the hostname of my domain controller is DC and I can ping the hostname if you want to Ping the IP address you can ping this way in my case I can ping both the hostname and the IP address as well so let's minimize command prompt and let's go to browser and let's try to access portal.office.com so this is asking me to type the user principal name but I should not get a prompt for the password hit enter and you can see I'm logged in I entered my user principle name but I didn't enter my password so this is how seamless single sign-on works in the next video we will be talking about Azure 80 connect Cloud sync so if you have learned something new from this particular video please write in comments and subscribe to the channel and please share this channel within your community thank you guys thank you for your time take care

Info

Channel: Office365Concepts

Views: 12,261

Rating: undefined out of 5

Keywords: what is sso, what is seamless sso, seamless sso, single sing on, what is single sing on, single sign in, what is single sign in, what is seamless signin, seamless signin, what is azure ad seamless sso, what is azure ad sso, sso, how sso works, adfs sso, how to enable sso, set up sso, what is, how to, tutorials, videos, viral, viral videos, azure ad videos in hindi, azure ad all videos, learn azure ad, azure ad tutorials, what is azure active directory, ad sso, how seamless

Id: B3H8ZQfFse0

Channel Id: undefined

Length: 13min 25sec (805 seconds)

Published: Thu Dec 08 2022