SSO to O365

%3CLINGO-SUB%20id%3D%22lingo-sub-174685%22%20slang%3D%22en-US%22%3ESSO%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174685%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%0A%3CP%3EIn%20our%20environment%20we%20configured%20mail%3DUPN%20and%20we%20are%20using%26nbsp%3BUPN%20as%20a%20user%20logon%20to%20Azure%2FO365.%26nbsp%3BIs%20it%20possible%20to%20configure%20Windows%20workstation%20to%20connect%20to%20Office%20365%20sites%20using%20IE%20with%20pass-through%20(without%20taping%20the%20mail%2FUPN)%3F%3C%2FP%3E%0A%3CP%3EThank%20you%20in%20advance%20for%20your%20help.%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-174685%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174871%22%20slang%3D%22en-US%22%3ERe%3A%20SSO%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174871%22%20slang%3D%22en-US%22%3E%3CP%3EPTA%20can%20work%20with%20AlternateId%20(using%20any%20attribute%20other%20than%20UPN)%2C%20and%20so%20does%20AAD%20Connect%20SSO%2C%20so%20AD%20FS%20is%20not%20mandatory%20unless%20you%20have%20some%20very%20specific%20requirements.%20Now%2C%20if%20you%20need%20true%20%22seamless%22%20SSO%2C%20in%20all%20cases%20you%20will%20also%20have%20to%20configure%20some%20form%20of%20smart%20links%2C%20for%20any%2Fall%20applications%20that%20do%20not%20send%20domain_hint%20information%20as%20part%20of%20the%20auth%20flow.%20Otherwise%20you%20will%20still%20have%20to%20enter%20the%20UPN%20(mail)%20of%20the%20user%20before%20SSO%20happens.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174776%22%20slang%3D%22en-US%22%3ERe%3A%20SSO%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174776%22%20slang%3D%22en-US%22%3EIn%20that%20case%20you%20can%20use%20the%20Azure%20AD%20Sync%20option%20with%20Password%20pass%20through%20as%20well.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174773%22%20slang%3D%22en-US%22%3ERe%3A%20SSO%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174773%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Christopher%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20also%20an%20option%2C%20but%20depends%20the%20requirements.%20Some%20customers%20will%20always%20use%20ADFS%20because%20of%20privacy%20of%20passwords%20and%20access%20services.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174740%22%20slang%3D%22en-US%22%3ERe%3A%20SSO%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174740%22%20slang%3D%22en-US%22%3E%3CP%3EI%20do%20not%20use%20ADFS%20and%20do%20not%20have%20to%20input%20my%20login%20for%20Web%20access.%20I%20am%20using%20ADSync%20with%20SSO.%20If%20you%20setup%20your%20Group%20Policy%20correctly%20with%20the%20proper%20sites.%20etc.%20And%20then%20setup%20365%20work%20account%2C%20and%20or%20do%20Hybrid%20Domain%20Join%20you%20do%20not%20need%20to%20login.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20the%20article%20I%20used%20to%20setup%20Seamless%20SIgn%20On%2C%20and%20it%20works%20quiet%20well.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174730%22%20slang%3D%22en-US%22%3ERe%3A%20SSO%20to%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174730%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Pop%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20will%20need%20to%20implement%20ADFS%20to%26nbsp%3Breach%20your%20goal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERead%20more%20here%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Frmilne%2F2017%2F04%2F28%2Fhow-to-install-ad-fs-2016-for-office-365%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Frmilne%2F2017%2F04%2F28%2Fhow-to-install-ad-fs-2016-for-office-365%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi all,

In our environment we configured mail=UPN and we are using UPN as a user logon to Azure/O365. Is it possible to configure Windows workstation to connect to Office 365 sites using IE with pass-through (without taping the mail/UPN)?

Thank you in advance for your help.

Regards

5 Replies
Highlighted

Hi Pop,

 

You will need to implement ADFS to reach your goal.

 

Read more here - https://blogs.technet.microsoft.com/rmilne/2017/04/28/how-to-install-ad-fs-2016-for-office-365/

Highlighted

I do not use ADFS and do not have to input my login for Web access. I am using ADSync with SSO. If you setup your Group Policy correctly with the proper sites. etc. And then setup 365 work account, and or do Hybrid Domain Join you do not need to login.

 

Here is the article I used to setup Seamless SIgn On, and it works quiet well. https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

 

Highlighted

Hi Christopher,

 

It's also an option, but depends the requirements. Some customers will always use ADFS because of privacy of passwords and access services.

Highlighted
In that case you can use the Azure AD Sync option with Password pass through as well.
Highlighted

PTA can work with AlternateId (using any attribute other than UPN), and so does AAD Connect SSO, so AD FS is not mandatory unless you have some very specific requirements. Now, if you need true "seamless" SSO, in all cases you will also have to configure some form of smart links, for any/all applications that do not send domain_hint information as part of the auth flow. Otherwise you will still have to enter the UPN (mail) of the user before SSO happens.