LDAP or SSO with 100% Azure infrastructure

Jason B 6 Reputation points
2022-12-01T19:56:38.28+00:00

Hi,
We're a new startup with all staff working remotely and our infrastructure is 100% Azure with no on-premise infrastructure. Our company laptops are all Azure AD Joined and managed from Intune. This also deploys a P2S VPN which allows connectivity into Azure infrastructure.

We have a core application our staff use which is hosted on an app server in Azure. The thick client is installed on a users desktop and connects to the app server. Authentication is via AD so the server is domain joined. At present we have VMs in Azure that are also domain joined. The staff RDP onto these and can then use SSO to log into the application.

Instead of staff having to RDP to use an application, the client should be installed on their laptop. While we have connectivity over the P2S VPN, there is no trust as the laptops are not on the domain and SSO doesn't work either. It's possible to domain join a laptop so the application works, but then it's impossible to Azure AD Join the laptop so it's managed via InTune. Also, Azure licences such as the M365 E3 don't work and don't upgrade Windows to Enterprise along with other limitations.

It's also possible to configure the application to use an authentication server utilising LDAP, but I understand this is not supported in Azure AD either. Why should LDAP even be needed when the laptop is already authenticated by Azure AD.

This seems to be a huge hole in Microsoft's Cloud approach for the modern workplace as it appears to be impossible to use SSO with a thick client, or LDAP which is also used by thousands of cloud apps out there that need an LDAP connection for authentication. At present, the only options appears to be to create an on-premise network to host a domain controller and hybrid join them, completely defeating the idea of a cloud only infrastructure.

Is this really impossible, or am I missing something?

Regards,
Jason

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,103 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Michael Durkan 12,136 Reputation points MVP
    2022-12-02T12:53:18.253+00:00

    Hi

    have you looked at Azure AD Domain Services for your use case?

    https://learn.microsoft.com/en-us/azure/active-directory-domain-services/overview

    This provides LDAP and Kerberos capabilities for your Azure AD identities. There is no management or overhead of the DC's that are deployed.

    Hope this helps,

    Thanks

    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    1 person found this answer helpful.

  2. Akshay-MSFT 15,856 Reputation points Microsoft Employee
    2022-12-05T10:00:14.843+00:00

    Hello @Jason B ,

    By default SSO is enabled for first party applications on AAD joined devices. However it seems like you are using enterprise applications for which you are looking SSO as an option.

    If that is the case, then SSO must be enabled for each enterprise application separately within application manifest or SSO options.
    You could refer to given link for SSO configuration overview for "Enterprise applications"
    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso

    For step by step configuration kindly refer to samples example: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/workday-tutorial

    267106-image.png

    267107-edit-urls.png

    Please do let me know if you have any further queries.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.

    1 person found this answer helpful.