Support for Azure Active Directory Single Sign-on
As of Management Console 6.4.5, the Azure Active Directory Single Sign-On is supported. The support for Single Sign-On using Azure AD unburdens users from having to memorize credentials for different apps or reusing weak passwords, increasing the risk of a data breach.
To log into Management Console using your Azure AD credentials, click the Windows icon below the login and password fields.
About Azure Single Sign-On
Single sign-on is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems.
Using SSO means a user doesn't have to sign in to every application they use. With SSO, users can access all needed applications without being required to authenticate using different credentials. For a brief introduction, see the Azure Active Directory single sign-on white paper.
Many applications already exist in Azure AD that you can use with SSO. You have several options for SSO depending on the needs of the application and how it's implemented. Take time to plan your SSO deployment before you create applications in Azure AD. The management of applications can be made easier by using the My Apps portal.
Single Sign-on Options
Choosing an SSO method depends on how the application is configured for authentication. Cloud applications can use federation-based options, such as OpenID Connect, OAuth, and SAML. The application can also use password-based SSO, linked-based SSO, or SSO can be disabled.
When you set up SSO to work between multiple identity providers, it's called federation. An SSO implementation based on federation protocols improves security, reliability, end-user experiences, and implementation.
With federated single sign-on, Azure AD authenticates the user to the application by using their Azure AD account. This method is supported for SAML 2.0, WS-Federation, or OpenID Connect applications. Federated SSO is the richest mode of SSO. Use federated SSO with Azure AD when an application supports it, instead of password-based SSO and Active Directory Federation Services (AD FS).
There are some scenarios where the SSO option isn't present for an enterprise application. If the application was registered using App registrations in the portal, then the single sign-on capability is configured to use OpenID Connect and OAuth by default. In this case, the single sign-on option won't appear in the navigation under enterprise applications.
Single sign-on isn't available when an application is hosted in another tenant. Single sign-on is also not available if your account doesn't have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal). Permissions can also cause a scenario where you can open a single sign-on but won't be able to save.
On-premises applications can use a password-based method for SSO. This choice works when applications are configured for Application Proxy.
With password-based SSO, users sign in to the application with a username and password the first time they access it. After the first sign-on, Azure AD provides the username and password to the application. Password-based SSO enables secure application password storage and replay using a web browser extension or mobile app. This option uses the existing sign-in process provided by the application, enables an administrator to manage the passwords, and doesn't require the user to know the password. For more information, see Add password-based single sign-on to an application.
Linked sign-on can provide a consistent user experience while you migrate applications over a period of time. If you're migrating applications to Azure AD, you can use linked-based SSO to quickly publish links to all the applications you intend to migrate. Users can find all the links in the My Apps or Microsoft 365 portals.
After a user has authenticated with a linked application, an account needs to be created before the user is provided single sign-on access. Provisioning this account can either occur automatically, or it can occur manually by an administrator. You can't apply conditional access policies or multifactor authentication to a linked application because a linked application doesn't provide single sign-on capabilities through Azure AD. When you configure a linked application, you're simply adding a link that appears for launching the application. For more information, see Add linked single sign-on to an application.
When SSO is disabled, it isn't available for the application. When single sign-on is disabled, users might need to authenticate twice. First, users authenticate to Azure AD, and then they sign in to the application.
Disable SSO when:
- You're not ready to integrate this application with Azure AD single sign-on
- You're testing other aspects of the application
- An on-premises application doesn't require users to authenticate, but you want them to. With SSO disabled, the user needs to authenticate
| Top |