Azure AD Joined Device and Office365 -SSO

Jaganathan Krishnan 20 Reputation points

How to configure SSO between Azure AD joined devices in Tenant A to Office365 in Tenant B, so that when a user logins into Windows Device using Tenant A id ,they should be also able to login into O365 hosted in Tenant B without credentials.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,923 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,782 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marcin Policht 13,175 Reputation points MVP

    Configure the user as a guest in tenant B

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.



  2. Sandeep G-MSFT 14,911 Reputation points Microsoft Employee

    @Jaganathan Krishnan

    Thank you for posting this in Microsoft Q&A.

    As I understand you have a device which is joined to Tenant A and you want to access resource in tenant B using SSO.

    SSO works between applications in a single tenant and not between multiple tenants. This is because the user accounts and sessions can be shared only within a tenant.

    Sharing tokens between multiple tenants in not security complaint.

    Device join can only happen in one tenant. When you register a device, it creates a device object in Azure and maps this to the user account. If you want to join a machine to a different tenant, you need to disconnect from the first tenant and register again with the new tenant.

    Whenever a new device is registered, there is a token is been issued. Now when user tries to access any same tenant specific resource, the token is been shared and user gets access to the resource.

    If token is invalid, then the access is not granted. Now when user from tenant A tries to access resource from tenant B, the token is invalidated and SSO fails.

    Currently there is no option where user from device joined to Tenant A can access resources from tenant B using SSO.

    However, you can submit a feedback in Azure feedback portal. This portal is directly monitored by our PM's and they can share any update if they have regarding this.

    Let us know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments