Forum Discussion

Gavin Sowerby's avatar
Gavin Sowerby
Copper Contributor
Oct 20, 2017

AAD Connect - Password Hash Sync - Seamless SSO - Office 2013/2016

Hi, has anybody been able to implement <subject> allowing for Example Word 2013 to Single Sign on to Azure AD without the need for selecting "Add A Place -> Office365 SharePoint" and being prompted for login name, we are looking at this ,which our Federated partner seems to provide very well but we are unable to when using AADC and Seamless SSO, anything web based uses Single Sign on perfectly but Office Apps don't without first entering username information into the popup.

 

Note: EnableADAL and Version reg keys are present for Modern Authentication prior to opening Word 

 

  • AlexR91's avatar
    AlexR91
    Brass Contributor

    We're having the same issue. My understanding of this is that the app automatically signs in using AD DS on first launch. The users aren't being logged in using ADAL at all, it just so happens that the on-prem UPN is the same as the user's Azure AD login name (Source).

    You can verify this by opening or saving a document in Word (which generates the user's "recent" list). Then navigate to HKCU\Software\Microsoft\Office\15.0\Word\User MRU. A user properly logged in to Azure AD will have a hive beginning with "ADAL_" in this directory, where one where the domain user is being logged in will begin with "AD_".

    We have Azure AD Connect with seamless SSO set up properly and can verify it works properly in the browser. We also have modern authentication enabled like you do. When we sign out of the local user, then sign in again using the user's email/UPN, seamless SSO works perfectly and the user connects using their ADAL account.

     

    The page linked above includes the following paragraph, entitled "Single sign-on, Active Directory, and federated sign-in" that states:

     

    When a user signs in to Office 2013, Office automatically tries to use the Active Directory Domain Services (AD DS) account with which the user logged into the operating system. If that Active Directory account is federated with Office 365, the customer automatically receives all the benefits of signing into Office 365 without having to perform any additional steps.

    I get the feeling that, in this article, when they say "Federated", they are referring specifically and exclusively to AD FS. Microsoft needs to clarify this.

    • Gavin Sowerby's avatar
      Gavin Sowerby
      Copper Contributor

      Hi Thanks for this.

       

      I was hoping that simply having on premise AD with Azure AD Connect all setup would also provide rich office client apps the single sign on too without AD FS, hopefully this is on the roadmap somewhere, we have 10s of thousands of customers who use various different domain joined workstations, ideally we don't want to change their experience and ask them to navigate to "add a place" and go through entering their UPN.

Resources