Forum Discussion
Azure Active Directory Seamless Single Sign-On
- Feb 02, 2018
sorry... then I guess your only option is trying multiple federated tenants, but I'm not sure it's supported
I don't see any limitation for your scenario:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
You could face problems when you sync 30 or more AD forests, which is not your case:
Just follow the procedure for each tenant:
- Will MellorFeb 02, 2018Copper ContributorI thought that might be the case but I have also seen this: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies#multiple-forests-single-azure-ad-tenant
In their says: The single sign-on (SSO) option for password synchronization and pass-through authentication can be used with only one Azure AD tenant.
I would take this as it is not possible.- Oct 08, 2019
Will Mellor, this is actually possible, but not supported due to how the Azure AD Connect works. Technically, SSO is using Kerberos. This means that both the "server" account in AD and the "service" (Azure AD) must share the secret (see this doc).
When enabling SSO, Azure AD connect creates a computer account in AD (AZUREADSSOACC), service principalname (https://autologon.microsoftazuread-sso.com), and configures SSO in Azure AD. During this process, it creates a random password for AZUREADSSOACC and tells this to Azure AD.
So, if you could set the password for each tenant to be the same, this would work. With Microsoft tools, this is not possible. However, this feature will be introduced in the next version of my AADInternals PowerShell module after being presented and announced in T2'19 infosec conference.
- Feb 21, 2020
Here are the steps how to set the SSO password using AADInternals toolkit.
First step is to install and import the AADInternals PowerShell Module.
Install-Module AADInternals Import-Module AADInternals
After successful import, the text "AADInternals v0.2.8 by @NestoriSyynimaa" should appear.
Next step is to acquire an OAuth access token for pass-through authentication (PTA) which is using same tokens than DesktopSSO (=internal technical name for Seamless SSO). The following command prompts for credentials (must be Global Admin) and stores it to a variable.
$pt=Get-AADIntAccessTokenForPTA
Now, assuming that the Seamless SSO is enabled, you can list the current settings using the following command.
Get-AADIntDesktopSSO -AccessToken $pt
The output should be similar to below, depending on how many domains is registered.
Domains : company.com Enabled : True ErrorMessage : Exists : True IsSuccessful : True
Now, the password for a specific domain can be set using the following command
Set-AADIntDesktopSSO -AccessToken $pt -DomainName "company.com" -Password "MyVerySecretPassword"
As the password must be same in cloud and on-prem, the command prompts whether the on-prem computer account should also be set. If you answer "yes" the command tries to set password using following commands.
$computer = Get-ADComputer "AZUREADSSOACC" Set-ADAccountPassword -Identity $computer.DistinguishedName -NewPassword (ConvertTo-SecureString -AsPlainText "MyVerySecretPassword" -Force)
If you do not have required rights to on-prem AD or Set-ADAccountPassword cmdlet is not available, you should answer "no" and do it manually. Also, the Kerberos Key Distribution Center must be restarted in Domain Controller for the changes to take effect.
After the password for cloud is successfully set you should get the following output:
IsSuccessful ErrorMessage ------------ ------------ True
In the case of multiple tenants, the password needs to be set to each tenant for the specific domains the tenant is using.
However, everyone should be aware that if the password (i.e. "MyVerySecretPassword") is known, you can login as any user of the tenant using user's sid:
# Generate kerberos ticket $kt=New-AADIntKerberosTicket -SidString "S-1-5-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx" -Password "MyVerySecretPassword" # Get access token using the ticket, for example to Exchange Online $at=Get-AADIntAccessTokenForEXO -KerberosTicket $kt -Domain "company.com" # Send an email message Send-AADIntOutlookMessage -AccessToken $at -Recipient "someone@company.com" -Subject "Message" -Message "<h1>Message</h1>"
Luckily, you cannot bypass MFA using this technique. More info at http://o365blog.com/post/kerberos/
- Pablo R. OrtizFeb 02, 2018Steel Contributor
You're right, so you had the answer.
Is it not possible to unify tenants in one single tenant with multiple verified domains?
- Will MellorFeb 02, 2018Copper ContributorSadly not :(