Ever since the launch of Office 365, there has been a need to make these services seamlessly accessible. Needless to say that Single Sign On (SSO) has been on the top requirement list for many organizations.

I wanted to put together a quick post and run through how easy it is to setup Single Sign On and enhance the user experience.

Azure Active Directory Connect makes Single Sign-On Easy

Azure AD Connect includes a new capability- Single Sign-On. The feature enables organizations to implement SSO with both cloud & on-prem based applications without requiring any additional server configurations.

SSO can be combined with either of the below two Sync options:
• Password Hash Synchronization (Agent Less)
• Pass-through Authentication

Setting up this service is simple and easy, and done from the AAD Connect tool. Below are the steps that take you through this process

• Add the below 2 URLS into the Intranet Zone via GPO
https://autologon.microsoftazuread-sso.com
https://aadg.windows.net.nsatc.net

• Launch AAD Connect and click on the Change User Sign-in

Enter Global Administrator credentials

The below screen you will be presented with 3 Options, you can use all of them to enable SSO. However, each of these methods has their own advantages:

• Password Synchronization: In this method, password hashes are synced with Azure AD.
(Server & Agentless SSO)

• Pass-Through Authentication: Like the first option, however, the password hashes are not synced with Azure AD. However, this method requires a lightweight agent to be installed on-premises (this service is still in preview while this article was written)

• Federation with AD FS: This method requires a full-fledged deployment of ADFS farm to enable SSO with using the Federation Service

We have selected password hash Sync, to enable Seamless SSO as shown below

Click on next and complete the configuration

Wait for the wizard to complete and show the Configuration Completed Message as shown below

Validation:
The below Steps can be followed to validate if the deployment has been successful
• Look for any Authentication errors in the Azure AD portal
• Look up the local AD for a Computer Account “AZUREADSSOACT”
• Run the below PowerShell command and confirm the domain has been enabled for SSO
GET-AZUREAADSSOSTATUS

Advantages of AAD connect SSO

• It’s a Free Service, which Doesn’t require additional licenses or premium subscriptions of Azure AD
• Serverless deployment of SSO solution
• Works with either Password Sync or Pass-through Authentication
• Unlike ADFS, this solution can be rolled out to users on need basis
• Ease of Administration of both Directory Sync and SSO

In Conclusion

There is a lot of useful documentation available about AAD Connect on the Microsoft website, I highly recommend that you check it out as well:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-quick-start