Azure AD SSO Query

Question

Azure AD SSO Query

Chalee 12

Hi all,

We have on prem AD which we sync to Azure AD using AD connect and this seems to be working OK. We have created an Enterprise App in Azure for an externally hosted app and configured SSO. This works fine for users on a domain joined device.

If I try and access the app on a non domain joined device I get to the MS sign-on page and enter my email address and password. It says my password is incorrect, but I know its right as it works with my on prem account. Should these details not all get synced as part of the AD connect sync.

If I reset my password in Azure AD I can them login in and access the app successfully. Should I be able to access the app on a non domain joined device? Surely I shouldn't have to reset my password in Azure AD?

Jason Warren 116 Reputation points

2019-12-06T04:22:37.407+00:00

Which synchronization method are you using in Azure AD Connect?

Can synced users sign into Office 365 (e.g. https://portal.office.com) using their AD credentials?
Chalee 12 Reputation points

2019-12-06T09:53:05.64+00:00

Hi Jason,

We are fairly new to Azure so just leaning though we have all used AD.

Users can sign into https://portal.office.com/

With regards to Sync methods I am not sure what methods there are TBH. We are doing a delta sync and using Password hash sync(PHS) plus Seamless single sign-on hybrid authenticaion.

Regards Lee

Jason Warren 116 Reputation points

2019-12-06T04:22:37.407+00:00

Which synchronization method are you using in Azure AD Connect?

Can synced users sign into Office 365 (e.g. https://portal.office.com) using their AD credentials?
Chalee 12 Reputation points

2019-12-06T09:53:05.64+00:00

Hi Jason,

We are fairly new to Azure so just leaning though we have all used AD.

Users can sign into https://portal.office.com/

With regards to Sync methods I am not sure what methods there are TBH. We are doing a delta sync and using Password hash sync(PHS) plus Seamless single sign-on hybrid authenticaion.

Regards Lee

Answer 1

If you're using a Microsoft account and not an Azure AD account, you can run into this issue. Can you confirm that you are using an Azure AD created account when this happens?

AD Connect prerequisites:

Accounts
An Azure AD Global Administrator account for the Azure AD directory you wish to integrate with. This must be a school or organization account and cannot be a Microsoft account.
This list is starting to be quite long so I understand that it is easy to miss. As soon as I pick something up in these forums, I add it to the documentation.

It is also possible that there is a connectivity issue or duplicate object. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-connectivity

Also, check your conditional access policies to make sure there isn't something blocking unjoined devices.

Azure AD SSO Query

1 answer

Activity