Azure AD Pass-through Authentication | Seamless Single Sign-On | Identity & Access management V 4

Опубликовано: 20 Сентябрь 2024
на канале: ITProGuide

19k

201

Exchange Server Training:

Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.

"Group policy" option - Detailed steps

Open the Group Policy Management Editor tool.
Edit the group policy that's applied to some or all your users. This example uses Default Domain Policy.
Browse to User Configuration - Policy - Administrative Templates - Windows Components - Internet Explorer - Internet Control Panel - Security Page. Then select Site to Zone Assignment List.
Enable the policy, and then enter the following values in the dialog box:
Value name: The Azure AD URL where the Kerberos tickets are forwarded.
Value (Data): 1 indicates the Intranet zone.
The result looks like this:
Value name:
Value (Data): 1
Note
If you want to disallow some users from using Seamless SSO (for instance, if these users sign in on shared kiosks), set the preceding values to 4. This action adds the Azure AD URL to the Restricted zone, and fails Seamless SSO all the time.
Select OK, and then select OK again.

Browse to User Configuration - Policy - Administrative Templates - Windows Components - Internet Explorer - Internet Control Panel - Security Page - Intranet Zone. Then select Allow updates to status bar via script.

Enable the policy setting, and then select OK.

"Group policy preference" option - Detailed steps

Open the Group Policy Management Editor tool.
Edit the group policy that's applied to some or all your users. This example uses Default Domain Policy.
Browse to User Configuration - Preferences - Windows Settings - Registry - New - Registry item.

Enter the following values in appropriate fields and click OK.
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoftazuread-sso.com\autologon
Value name: https.
Value type: REG_DWORD.
Value data: 00000001.

Browser considerations

Mozilla Firefox (all platforms)

Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by using the following steps:
Run Firefox and enter about:config in the address bar. Dismiss any notifications that you see.
Search for the network.negotiate-auth.trusted-uris preference. This preference lists Firefox's trusted sites for Kerberos authentication.
Right-click and select Modify.
Enter in the field.
Select OK and then reopen the browser.
Safari (macOS)
Ensure that the machine running the macOS is joined to AD. Instructions for AD-joining your macOS device is outside the scope of this article.
Google Chrome (all platforms)

If you have overridden the AuthNegotiateDelegateWhitelist or the AuthServerWhitelist policy settings in your environment, ensure that you add Azure AD's URL ( to them as well.
Google Chrome (macOS and other non-Windows platforms)

For Google Chrome on Mac OS and other non-Windows platforms, refer to The Chromium Project Policy List for information on how to whitelist the Azure AD URL for integrated authentication.
The use of third-party Active Directory Group Policy extensions to roll out the Azure AD URL to Firefox and Google Chrome on Mac users is outside the scope of this article.
Known browser limitations

Seamless SSO doesn't work in private browsing mode on Firefox and Microsoft Edge browsers. It also doesn't work on Internet Explorer if the browser is running in Enhanced Protected mode.

Azure AD – Introduction - Identity and Access management Video - 1:

Azure AD – Create an Azure Tenant and Verify- Identity and Access management Video - 2 :

Azure AD - AD Connect - configure Password Hash Synchronization - Identity & Access management V 3:

Azure AD Pass-through Authentication | Seamless Single Sign-On | Identity & Access management V 4:

Configuring ADFS for Office 365: A Step-By-Step Guide: