Using single sign-on with cloud sync
The following document describes how to use single sign-on with cloud sync.
Steps to enable Single Sign-on
Cloud provisioning works with Single Sign-on. Currently there is not an option to enable SSO when the agent is installed, however you can use the steps below to enable SSO and use it.
Step 1: Download and extract Azure AD Connect files
- First, download the latest version of Azure AD Connect
- Open a command prompt using Administrative privileges and navigate to the msi you just downloaded.
- Run the following:
msiexec /a C:\filepath\AzureADConnect.msi /qb TARGETDIR=C:\filepath\extractfolder
- Change filepath and extractfolder to match your file path and the name of your extraction folder. The contents should now be in the extraction folder.
Step 2: Import the Seamless SSO PowerShell module
- Download, and install Azure AD PowerShell.
- Browse to the
Microsoft Azure Active Directory Connectfolder which should be in the extraction folder from Step 1.
- Import the Seamless SSO PowerShell module by using this command:
Step 3: Get the list of Active Directory forests on which Seamless SSO has been enabled
- Run PowerShell as an administrator. In PowerShell, call
New-AzureADSSOAuthenticationContext. When prompted, enter your tenant's global administrator credentials.
Get-AzureADSSOStatus. This command provides you with the list of Active Directory forests (look at the "Domains" list) on which this feature has been enabled.
Step 4: Enable Seamless SSO for each Active Directory forest
Enable-AzureADSSOForest. When prompted, enter the domain administrator credentials for the intended Active Directory forest.
The domain administrator credentials username must be entered in the SAM account name format (
contoso.com\johndoe). We use the domain portion of the username to locate the Domain Controller of the Domain Administrator using DNS.
The domain administrator account used must not be a member of the Protected Users group. If so, the operation will fail.
Repeat the preceding step for each Active Directory forest where you want to set up the feature.
Step 5: Enable the feature on your tenant
To turn on the feature on your tenant, call
Enable-AzureADSSO -Enable $true.