Configure Azure AD Seamless SSO (Modern Authentication)
This blog post focused on Azure AD Seamless SSO, Modern Authentication (ADAL), and how to enable it in a Hybrid environment.
Azure Active Directory Introduction
Azure Active Directory is a cloud solution for identity and access management that gives us a set of capabilities and features to manage users, groups, and other identity objects. It helps secure access to on-premises and cloud applications, including Microsoft Cloud services and much non-Microsoft software as a service application.
Azure AD leverage the local Active Directory Directory Services (On-Premises Active Directory) and allow us to use many other authentication protocols, among other things you can find: SAML-P, WSFederation, OpenID, and OAuth 2.0.
As a result of the comprehensive protocol support, a user can authenticate against the Azure AD and then have Single-Sign-On to other services. Those services may be running on Microsoft Cloud, On-Premises, or another partner Cloud.
Of course, Azure AD is the identity store but not just, because of Azure AD its rich identity store and services that give us plenty of features that belong mainly to identities (directly or indirectly), such:
- Conditional Access
- Azure AD Application Proxy
- B2B Collaboration
- Identity Protection
The Azure AD comes with few editions:
- Office 365 apps only.
- Azure AD Free
- Azure AD Basic
- Azure AD Premium P1
- Azure AD Premium P2
There is a difference between each edition. When you activate Microsoft Cloud services, such as Exchange Online or Dynamic CRM, the background is also created an Azure AD behind the scene.
When working with Azure AD, you might know that there are several configurations and architecture. These configurations and architecture depend on your organization’s requirements and allow you to work with custom and support configurations. The configurations and infrastructure available:
- Cloud Only
- On-premises Active Directory (Single Forest or multiple Forest)
- Federation Services based ADFS.
- Password Synchronization
- Pass-Through Authentications
- Seamless SSO
- Azure AD tenants (Multiple and Single)
There are authentication protocols and the specific Modern Authentication for Office Application and the architecture and configuration.
Modern Authentication, what it’s all about?
Modern Authentication brings Active Directory Authentication Library (ADAL) based sign-in to Office client applications platforms. This enables sign-in features such as Multi-Factor Authentication, SAML-based third-party Identity Providers with Office client applications, smart card, and certificate-based Authentication.
It removes the need for Outlook to use the basic authentication protocol.
Once enabled ADAL on Office 365, the Office client will behave precisely as a Web Browser when authenticating against the Microsoft Cloud. When authenticating to the Cloud, it sends Access Token requests directly to the authentication provider instead of sending the username and password.
Of course, if MFA is configured, the behavior will be the same when accessing the web.
So why do we need Modern Authentication (ADAL)? it is straightforward, and the answers for that are:
- Local Credentials – No entering users and passwords for Microsoft Office
- MFA – No need for App Password
- SSO – Company devices use SSO without the need for a password and use Kerberos ticket
By default, Modern Authentication (ADAL) is enabled to SharePoint Online, but Exchange Online and Skype for business are disabled.
Azure AD Seamless SSO
Azure AD Seamless Single Sign-On automatically signs in users on their company devices and connects to your company network. When AAD SSSO is enabled, users don’t need to type in their passwords to sign in to Microsoft Clouds services such as Office 365 or Azure AD.
How it works – The authentication process for AAD SSSO is based on the local object, SPN’s and URLs that allow the users to sign in automatically.
After enabling SSSO, a new account is created called AZUREADSSOACCT in the Active Directory, and the Kerberos decryption key is shared securely with Azure AD.
In addition to this object created another two Kerberos SPN’s to represent the cloud URLs used during Authentication between the client and Azure AD.
Domain joined Authentication Process
- User access a cloud resource
- Azure active directory sending request or challenge with a Kerberos ticket
- User device sending a ticket request to the Active Directory
- On-Premises Active directory first generates a Kerberos ticket for the user.
(Active Directory locate the AZUREADSSOACCT and encrypt the Kerberos ticket)
- The Kerberos ticket pass to the client
- The client returns the encrypted Kerberos ticket.
- Azure AD decrypts the ticket using a pre-shared decryption key and validates the user.
- After successful validation, Azure AD will challenge those requests or provide access to the Cloud resource.
Azure AD joined Device Authentication
In a scenario with Windows 10 devices, you can get AAD SSSO experience by work with Azure AD join. The Azure AD will authentication process and experience as same as the domain join. But remember to configure SSO in the AD Connect tool.
When planning an authentication change, some highlight needs to plan, such: How users work? Authentication type, using ADFS and other questions.
When working in the scenario that users are working with Password Synchronization without an ADFS server, you can plan for change with Seamless SSO. Also, Seamless SSO can work with Pass-Through Authentication.
Many organizations based on Azure AD Connect with Password Synchronization and Modern Authentication and Seamless SSO are disabled.
In this scenario, to Enable only the Seamless SSO isn’t good enough. Once you have enabled only Seamless SSO, the Office application will not behave like the web application, and the credentials will save locally.
It’s recommended to enable Modern Authentication with Seamless SSO to allow the sane Authentication for Web applications and Office applications.
Enable and Configure Seamless SSO
When enabling Azure AD Seamless SSO and Modern Authentication (ADAL), the users will not experience service disruption.
Note: The following steps are only for Azure AD Seamless SSO and Modern Authentication (ADAL).
First, enable the Modern Authentication to prevent prompt credentials on the user’s side.
Enable Modern Authentication for Exchange Online
To enable Modern Authentication (ADAL) for Exchange Online and Skype for Business Online, perform the following actions:
Connect to the Exchange Online via PowerShell:
$cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic –AllowRedirection
Enable ADAL for Exchange Online with the following PowerShell command:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true -Verbose
Check and verify the changes.
Get-OrganizationConfig | Format-Table -Auto Name,OAuth*
Enable Modern Authentication for Skype for Business Online
Connect to Skype for Business Online via PowerShell
$credential = Get-Credential
$session = New-CsOnlineSession -Credential $credential
Enable Modern Authentication
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
Check and verify modern Authentication.
Get-CsOAuthConfiguration | ft Identity, ClientAdalAuthOverride
Enable Azure AD Seamless SSO
To enable Azure AD Connect Seamless SSO to follow these steps:
The requirements and preparation for Azure AD Seamless SSO are:
- Azure AD Connect versions 1.1.644.0 or later.
- Firewall Proxy bypass for *.msappproxy.net with port 443
- Firewall port 443 for Azure DataCenter IP ranges
- Domain Administrator credentials
- Office 2013 and higher
Configure Seamless SSO
On your Azure AD Connect, choose to Configure > Change user sign-in > type Global Admin for Office365 > Choose the option Enable single sign-on
Once enabling single sign-on and perform synchronization to the Azure AD few actions will occur:
The On-Premises Active Directory will create a computer object called AZUREADSSOACC
The AZUREADSSOACC have two SPNs
The object AZUREADSSOACC will have the following SPNs
In the Azure portal, the Seamless SSO will change to Enabled
Azure Active Active Directory > Azure AD Connect > Seamless single sign-on
Configure Intranet zone settings URLs
Configure the following URLs to allow the users to authenticate:
Make sure to enable the allow update to the status bar via script
After all the settings have been made, users will connect to the service using Seamless SSO and ADAL.
Note: for Skype for Business hybrid, make sure to configure OAuth configuration