SOLVED
Home

Azure Active Directory Seamless Single Sign-On

%3CLINGO-SUB%20id%3D%22lingo-sub-151642%22%20slang%3D%22en-US%22%3EAzure%20Active%20Directory%20Seamless%20Single%20Sign-On%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151642%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20question%20around%26nbsp%3BAzure%20Active%20Directory%20Seamless%20Single%20Sign-On.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20we%20want%20to%20use%20the%20Azure%20Seamless%20Single%20Sign-On%20but%20we%20have%20a%20forest%20and%20each%20business%20is%20in%20an%20organisation%20unit%20then%20each%20organisation%20unit%20is%20connected%20to%20their%20own%20office%20365%20tenant%20for%20each%20business%20via%20Azure%20AD%20Connect.%20Would%20we%20be%20able%20to%20use%26nbsp%3BAzure%20Active%20Directory%20Seamless%20Single%20Sign-On%20for%20all%20the%20businesses%20that%20have%20separate%20tenants%20%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20452px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F27893iCB3AE2B1027FCF7B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22e.png%22%20title%3D%22e.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-151642%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-151816%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Seamless%20Single%20Sign-On%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151816%22%20slang%3D%22en-US%22%3E%3CP%3Esorry...%20then%20I%20guess%20your%20only%20option%20is%20trying%20multiple%20federated%20tenants%2C%20but%20I'm%20not%20sure%20it's%20supported%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblog.kloud.com.au%2F2015%2F09%2F08%2Foffice-365-sso-configuring-multiple-office-365-tenants-to-use-a-single-ad-fs-instance%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblog.kloud.com.au%2F2015%2F09%2F08%2Foffice-365-sso-configuring-multiple-office-365-tenants-to-use-a-single-ad-fs-instance%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-151803%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Seamless%20Single%20Sign-On%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151803%22%20slang%3D%22en-US%22%3ESadly%20not%20%3A(%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-151799%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Seamless%20Single%20Sign-On%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151799%22%20slang%3D%22en-US%22%3E%3CP%3EYou're%20right%2C%20so%20you%20had%20the%20answer.%3C%2FP%3E%0A%3CP%3EIs%20it%20not%20possible%20to%20unify%20tenants%20in%20one%20single%20tenant%20with%20multiple%20verified%20domains%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-151796%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Seamless%20Single%20Sign-On%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151796%22%20slang%3D%22en-US%22%3EI%20thought%20that%20might%20be%20the%20case%20but%20I%20have%20also%20seen%20this%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-topologies%23multiple-forests-single-azure-ad-tenant%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-topologies%23multiple-forests-single-azure-ad-tenant%3C%2FA%3E%20%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20their%20says%3A%20The%20single%20sign-on%20(SSO)%20option%20for%20password%20synchronization%20and%20pass-through%20authentication%20can%20be%20used%20with%20only%20one%20Azure%20AD%20tenant.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20take%20this%20as%20it%20is%20not%20possible.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-151767%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Seamless%20Single%20Sign-On%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151767%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20see%20any%20limitation%20for%20your%20scenario%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EYou%20could%20face%20problems%20when%20you%20sync%2030%20or%20more%20AD%20forests%2C%20which%20is%20not%20your%20case%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-troubleshoot-sso%23known-problems%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-troubleshoot-sso%23known-problems%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EJust%20follow%20the%20procedure%20for%20each%20tenant%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso-quick-start%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso-quick-start%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-898488%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Seamless%20Single%20Sign-On%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-898488%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F115110%22%20target%3D%22_blank%22%3E%40Will%20Mellor%3C%2FA%3E%2C%26nbsp%3Bthis%20is%20actually%20possible%2C%20but%20not%20supported%20due%20to%20how%20the%20Azure%20AD%20Connect%20works.%20Technically%2C%20SSO%20is%20using%20Kerberos.%20This%20means%20that%20both%20the%20%22server%22%20account%20in%20AD%20and%20the%20%22service%22%20(Azure%20AD)%20must%20share%20the%20secret%20(see%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-sso-how-it-works%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edoc%3C%2FA%3E).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20enabling%20SSO%2C%20Azure%20AD%20connect%20creates%20a%20computer%20account%20in%20AD%20(AZUREADSSOACC)%2C%20service%20principalname%20(%3CA%20href%3D%22https%3A%2F%2Fautologon.microsoftazuread-sso.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fautologon.microsoftazuread-sso.com%3C%2FA%3E)%2C%20and%20configures%20SSO%20in%20Azure%20AD.%20During%20this%20process%2C%20it%20creates%20a%20random%20password%20for%20AZUREADSSOACC%20and%20tells%20this%20to%20Azure%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20if%20you%20could%20set%20the%20password%20for%20each%20tenant%20to%20be%20the%20same%2C%20this%20would%20work.%20With%20Microsoft%20tools%2C%20this%20is%20not%20possible.%20However%2C%20this%20feature%20will%20be%20introduced%20in%20the%20next%20version%20of%20my%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fo365blog.com%2Faadinternals%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAADInternals%3C%2FA%3E%20PowerShell%20module%20after%20being%20presented%20and%20announced%20in%20%3CA%20href%3D%22https%3A%2F%2Ft2.fi%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ET2'19%20infosec%20conference%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-898712%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Seamless%20Single%20Sign-On%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-898712%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5953%22%20target%3D%22_blank%22%3E%40Nestori%20Syynimaa%3C%2FA%3EThank%20you%20will%20keep%20a%20look%20out%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Will Mellor
New Contributor

I have a question around Azure Active Directory Seamless Single Sign-On.

 

So we want to use the Azure Seamless Single Sign-On but we have a forest and each business is in an organisation unit then each organisation unit is connected to their own office 365 tenant for each business via Azure AD Connect. Would we be able to use Azure Active Directory Seamless Single Sign-On for all the businesses that have separate tenants ?

 

e.png

7 Replies
I thought that might be the case but I have also seen this: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologi...

In their says: The single sign-on (SSO) option for password synchronization and pass-through authentication can be used with only one Azure AD tenant.

I would take this as it is not possible.

You're right, so you had the answer.

Is it not possible to unify tenants in one single tenant with multiple verified domains?

Sadly not :(
Solution

sorry... then I guess your only option is trying multiple federated tenants, but I'm not sure it's supported

https://blog.kloud.com.au/2015/09/08/office-365-sso-configuring-multiple-office-365-tenants-to-use-a...

@Will Mellor, this is actually possible, but not supported due to how the Azure AD Connect works. Technically, SSO is using Kerberos. This means that both the "server" account in AD and the "service" (Azure AD) must share the secret (see this doc). 

 

When enabling SSO, Azure AD connect creates a computer account in AD (AZUREADSSOACC), service principalname (https://autologon.microsoftazuread-sso.com), and configures SSO in Azure AD. During this process, it creates a random password for AZUREADSSOACC and tells this to Azure AD.

 

So, if you could set the password for each tenant to be the same, this would work. With Microsoft tools, this is not possible. However, this feature will be introduced in the next version of my AADInternals PowerShell module after being presented and announced in T2'19 infosec conference.

@Nestori SyynimaaThank you will keep a look out :smile:

Related Conversations