Support for Microsoft Entra ID (Active Directory) Single Sign-on

Management Console supports Active Directory (Microsoft Entra ID) Single Sign-On. The support for Single Sign-On using Microsoft Entra ID (formerly Azure AD) unburdens users from having to memorize credentials for different apps or reusing weak passwords, increasing the risk of a data breach.

About Microsoft Entra ID (formerly Active Directory) Single Sign-On

Single sign-on is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems.

Using SSO means a user doesn't have to sign in to every application they use. With SSO, users can access all needed applications without being required to authenticate using different credentials. For a brief introduction, see the Azure Active Directory single sign-on white paper.

Prepare Management Console for SSO

  1. Create an administrator account on Organization > Administrators with the email address of your Entra ID administrator.
  2. Grant the administrative account required permissions. This step is mandatory to use SSO.

To log into Management Console using your Microsoft Entra ID (formerly Active Directory) credentials, click the Microsoft icon below the login and password fields and proceed with Microsoft Authentication using your Active Directory account credentials.

Single Sign-on Options

Choosing an SSO method depends on how the application is configured for authentication. Cloud applications can use federation-based options, such as OpenID Connect, OAuth, and SAML. The application can also use password-based SSO, linked-based SSO, or SSO can be disabled.


When you set up SSO to work between multiple identity providers, it's called federation. An SSO implementation based on federation protocols improves security, reliability, end-user experiences, and implementation.

With federated single sign-on, Microsoft Entra ID (formerly Azure AD) authenticates the user to the application by using their Microsoft Entra ID (formerly Azure AD) account. This method is supported for SAML 2.0, WS-Federation, or OpenID Connect applications. Federated SSO is the richest mode of SSO. Use federated SSO with Microsoft Entra ID (formerly Azure AD) when an application supports it, instead of password-based SSO and Active Directory Federation Services (AD FS).

There are some scenarios where the SSO option isn't present for an enterprise application. If the application was registered using App registrations in the portal, then the single sign-on capability is configured to use OpenID Connect and OAuth by default. In this case, the single sign-on option won't appear in the navigation under enterprise applications.

Single sign-on isn't available when an application is hosted in another tenant. Single sign-on is also not available if your account doesn't have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal). Permissions can also cause a scenario where you can open a single sign-on but won't be able to save.


On-premises applications can use a password-based method for SSO. This choice works when applications are configured for Application Proxy.

With password-based SSO, users sign in to the application with a username and password the first time they access it. After the first sign-on, Microsoft Entra ID (formerly Azure AD) provides the username and password to the application. Password-based SSO enables secure application password storage and replay using a web browser extension or mobile app. This option uses the existing sign-in process provided by the application, enables an administrator to manage the passwords, and doesn't require the user to know the password. For more information, see Add password-based single sign-on to an application.


Linked sign-on can provide a consistent user experience while you migrate applications over a period of time. If you're migrating applications to Microsoft Entra ID (formerly Azure AD), you can use linked-based SSO to quickly publish links to all the applications you intend to migrate. Users can find all the links in the My Apps or Microsoft 365 portals.

After a user has authenticated with a linked application, an account needs to be created before the user is provided single sign-on access. Provisioning this account can either occur automatically, or it can occur manually by an administrator. You can't apply conditional access policies or multifactor authentication to a linked application because a linked application doesn't provide single sign-on capabilities through Microsoft Entra ID (formerly Azure AD). When you configure a linked application, you're simply adding a link that appears for launching the application. For more information, see Add linked single sign-on to an application.


When SSO is disabled, it isn't available for the application. When single sign-on is disabled, users might need to authenticate twice. First, users authenticate to Microsoft Entra ID (formerly Azure AD), and then they sign in to the application.

Disable SSO when:

  • You're not ready to integrate this application with Microsoft Entra ID (formerly Azure AD) single sign-on
  • You're testing other aspects of the application
  • An on-premises application doesn't require users to authenticate, but you want them to. With SSO disabled, the user needs to authenticate

| Top |