question

BenWosjke-0694 avatar image
0 Votes"
BenWosjke-0694 asked BenWosjke-0694 commented

AAD to on premise SSO

Hi, this article https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso#next-steps pretty clearly states that SSO is possible for an AAD connected device/user to on premise resources as long as there is a "line of sight" to local DC's....

Specifically the line
Azure AD joined devices have no knowledge about your on-premises AD environment because they aren't joined to it. However, you can provide additional information about your on-premises AD to these devices with Azure AD Connect.

The document then proceeds to give no further detail or links on how to actually achieve that. The article it links to at the end refers back to this article, creating a wonderful loop while providing no useful information.

Does anyone have any information on what changes to AADConnect are required in order to get SSO for AAD devices back to on-premise resources ?

azure-ad-connect
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @BenWosjke-0694,

I am with you, that this part misses quite some documentation.

As far as I know, it works like this:

  • When you synchronize users from on-prem AD to AAD (aka hybrid environment), the information about the on-prem AD domain is retained in the AAD user record.

  • When you access a on-prem AD application, the credential manager realizes that there is no TGT and will contact a DC of that domain to get the TGT.

However, I have no clue how/which credential is used to finally get the TGT though. The cleartext password should not be available anymore on the client ...

I hope that this at least helped you with your original question.

Greetings,
Tobias



1 Vote 1 ·

thats much closer....

basically what im hearing is that the line in the document

"Azure AD joined devices have no knowledge about your on-premises AD environment because they aren't joined to it. However, you can provide additional information about your on-premises AD to these devices with Azure AD Connect."

is incorrect - and that no further configuration is required to get accounts that are synced via AADConnect to SSO to on premise resources, even when the device is AAD (not AD) joined.

I have tested this in my environment, but always like to know how it is meant to work according to the doco..... just makes it tough when the doco is wrong!

anyway, rant over, thanks for the answer.


0 Votes 0 ·

1 Answer

ManuPhilip avatar image
0 Votes"
ManuPhilip answered BenWosjke-0694 commented

Hi @BenWosjke-0694 ,

In order to connect AAD joined devices to on-premises AD and to establish SSO , run the Directory synchronization wizard and Azure AD Connect. Check the below link to see more details on setting up the Azure AD Connect.

https://docs.microsoft.com/en-us/office365/enterprise/set-up-directory-synchronization


Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

Regards,

Manu

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

i dont understand why you would post that ? that doesn't get anywhere near answering my question.

So is it your assertion that the document is wrong?
No further configuration is required to AADConnect in order to get SSO for AAD-joined devices to on-premise infrastructure ?

0 Votes 0 ·

Hi,
Sorry to see that my response didn't help you. I was trying to help you out to sync your on-premises AD with Azure AD. That will enable SSO across both infrastructure for all the member devices . Microsoft provides Azure AD connect tool to establish that.
If it didn't help, I hope, someone else can help you soon here

Regards,
Manu

0 Votes 0 ·