freshidea - Fotolia


Configure Azure Active Directory SSO service and avoid delays

ADFS won't work for single sign-on in Outlook or Skype for Business by itself. Configure Azure Active Directory SSO and save your users time and energy.

No one wants to enter the same password multiple times to use applications on a single machine. Many administrators...

seek single sign-on, and Microsoft's Active Directory Federation Services is the traditional way to get it. But ADFS doesn't prevent login prompts in all applications; Outlook or Skype for Business users have to look elsewhere.

Businesses have a new option for SSO. Azure Active Directory (AD) Seamless SSO registers a special computer account in AD to act as a proxy so that Integrated Windows Authentication (IWA) -- which authorizes users -- works against specific URLs in Azure AD to sign a user in as if the URLs were an intranet site.

Administrators can configure Azure AD Connect, which integrates an on-premises directory with Azure AD, to perform Seamless SSO; set up an Office 365 tenant to support modern authentication; and, finally, examine the client experience.

Combine Azure Active Directory SSO with modern authentication, which enables features such as multifactor authentication and certificate-based authentication, to get a full SSO without ADFS. Modern authentication uses a web browser-based sign-in within the Office applications, which enables IWA to work.

Configure Azure AD Connect

To set up the feature, start with Azure AD Connect and password synchronization in place. Launch the Azure AD Connect configuration wizard, select the User Sign-In option and choose Enable single sign on, as shown in Figure 1.

Azure AD configuration wizard
Figure 1. Click on Enable single sign on to use Seamless SSO.

On the Enable single sign on page shown in Figure 2, enter the domain administrator credentials to create the special computer account for Azure AD Connect in the local AD.

Enable single sign on
Figure 2. Enter the domain administrator credentials to create a special computer account for Azure AD Connect.

Complete the setup wizard. Once Azure AD Connect updates the configuration, verify that the new computer account has been created. Open Active Directory Users and Computers, navigate to the Computers container and look for a new computer for Azure Active Directory SSO, named AZUREADSSOACC:

Active Directory Users and Computers
Figure 3. Verify that the action created a new computer account named AZUREADSSOACC.

Set up the Office 365 tenant

To use the Seamless SSO service with Outlook and Skype for Business applications, enable the Office 365 tenant for modern authentication.

Connect with Exchange Online PowerShell and use administrative credentials, as such:

$UserCredential = Get-Credential

$ExoSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $ExoSession

Next, use the Set-OrganizationConfig cmdlet to enable the OAuth2 Client Profile:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

For Skype for Business Online, download and install the Skype for Business Online Windows PowerShell module. Connect to Skype for Business Online from a PowerShell prompt:

$UserCredential = Get-Credential

$SfBSession = New-CsOnlineSession -Credential $UserCredential -Verbose

Import-PSSession $SfBSession

Invoke the Set-CsOAuthConfiguration cmdlet to enable Modern Authentication.

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

These are common steps to enable SSO with Windows 10 Azure AD-joined devices and ADFS.

If your organization uses Office 2013 with modern authentication enabled -- or Office 2016, which uses modern authentication if available -- then the system will prompt clients for a password until you have completed and tested the remainder of the steps.

Configure Intranet Zone settings

Azure Active Directory SSO requires an administrator to add two URLs to Internet Explorer's Local Intranet Zone on client PCs. This indicates to the client that the specific URLs are safe to use with IWA.

The two URLs to add are:

When you add these URLs to the Intranet Zone in Internet Explorer, Office clients -- including Outlook and Chrome -- inherit them.

To test the functionality, open the Internet Explorer options page, and on the Security tab, choose Local Intranet, then Sites and finally add the URLs, as shown in Figure 4.

Internet Explorer options page
Figure 4. Test that the two mandatory URLs for Azure AD's SSO service function in Internet Explorer.

Admins typically deploy these URLs via Group Policy. Open the Group Policy management tools for your domain, and either create or amend an existing policy for users who need SSO. Under the User Configuration section, as seen in Figure 5, navigate to Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Select the Site to Zone Assignment List.

Group Policy Management Editor
Figure 5. Create or adjust Group Policy for users who need SSO.

Add both site URLs to the Site to Zone Assignment List, with the URL as the Value name and the Value as 1, which indicates that the URL should be added to the Intranet Zone, as seen in Figure 6.

Site to Zone Assignment List
Figure 6. Add the value name and value for each URL to join the Intranet Zone.

What are the caveats?

Once Seamless SSO is configured and you've deployed supporting policies, the sign-in experience removes almost all areas where a user would enter his username and eliminates the need to enter credentials.

But in some scenarios the user needs to enter a username.

A username -- typically an email address -- is required to access some web-based services, including the Office 365 portal, OneDrive and SharePoint. However, after entering the username, the system won't prompt the user for a password.

Organizations that want to add both site URLs to the Site to Zone Assignment List with Microsoft Edge in Windows 10 have an additional step. Edge does not support Seamless SSO, and it might be necessary to configure Edge to use Internet Explorer for Intranet Zone URLs.

Add the Office 365 login page URL to the Intranet Zone to indicate when to use Internet Explorer, instead of native functionality. To ensure Edge launches Internet Explorer for these sites, change the same Group Policy, under Policies > Administrative Templates > Windows Components > Microsoft Edge and enable the policy to send all intranet sites to Internet Explorer 11.

The next-generation OneDrive client, which can sign into both consumer and business OneDrive services, is similar. On first entry, the user must enter a username to sign in but will not be prompted for a password.

Next Steps

Azure AD has a lot to offer Office 365 orgs

Keep abreast of Microsoft's Azure portal changes

Pros and cons of the Azure AD PowerShell module

Dig Deeper on Exchange Server setup and troubleshooting