AAD to on premise SSO

Ben Wosjke 136

Hi, this article https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso#next-steps pretty clearly states that SSO is possible for an AAD connected device/user to on premise resources as long as there is a "line of sight" to local DC's....

Specifically the line
Azure AD joined devices have no knowledge about your on-premises AD environment because they aren't joined to it. However, you can provide additional information about your on-premises AD to these devices with Azure AD Connect.

The document then proceeds to give no further detail or links on how to actually achieve that. The article it links to at the end refers back to this article, creating a wonderful loop while providing no useful information.

Does anyone have any information on what changes to AADConnect are required in order to get SSO for AAD devices back to on-premise resources ?

MrAzureAD 81 Reputation points

2020-06-02T08:59:11.777+00:00
Hi @Ben Wosjke ,

I am with you, that this part misses quite some documentation.

As far as I know, it works like this:

When you synchronize users from on-prem AD to AAD (aka hybrid environment), the information about the on-prem AD domain is retained in the AAD user record.

When you access a on-prem AD application, the credential manager realizes that there is no TGT and will contact a DC of that domain to get the TGT.

However, I have no clue how/which credential is used to finally get the TGT though. The cleartext password should not be available anymore on the client ...

I hope that this at least helped you with your original question.

Greetings,
Tobias
Ben Wosjke 136 Reputation points

2020-06-03T09:10:15.23+00:00

thats much closer....

basically what im hearing is that the line in the document

"Azure AD joined devices have no knowledge about your on-premises AD environment because they aren't joined to it. However, you can provide additional information about your on-premises AD to these devices with Azure AD Connect."

is incorrect - and that no further configuration is required to get accounts that are synced via AADConnect to SSO to on premise resources, even when the device is AAD (not AD) joined.

I have tested this in my environment, but always like to know how it is meant to work according to the doco..... just makes it tough when the doco is wrong!

anyway, rant over, thanks for the answer.

1 answer

Manu Philip 16,986 Reputation points MVP

2020-06-02T04:49:32.813+00:00

Hi @Ben Wosjke ,

In order to connect AAD joined devices to on-premises AD and to establish SSO , run the Directory synchronization wizard and Azure AD Connect. Check the below link to see more details on setting up the Azure AD Connect.

https://learn.microsoft.com/en-us/office365/enterprise/set-up-directory-synchronization

Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

Regards,

Manu
Please sign in to rate this answer.
Ben Wosjke 136 Reputation points

2020-06-02T05:22:26.733+00:00

i dont understand why you would post that ? that doesn't get anywhere near answering my question.

So is it your assertion that the document is wrong?
No further configuration is required to AADConnect in order to get SSO for AAD-joined devices to on-premise infrastructure ?

Manu Philip 16,986 Reputation points MVP

2020-06-02T05:27:44.583+00:00

Hi,
Sorry to see that my response didn't help you. I was trying to help you out to sync your on-premises AD with Azure AD. That will enable SSO across both infrastructure for all the member devices . Microsoft provides Azure AD connect tool to establish that.
If it didn't help, I hope, someone else can help you soon here

Regards,
Manu
Sign in to comment