Excelllent video - quick yet detailed ! Other SSO video's seem to imply all you got to do is run AD Connect ... click -click ..& thats it - job done! 👍
9:07 I am already familiar with all of this Kerberos rollover but how do you actually automate it? Is there any other way of doing so beside storing the actual domain admin and global admin credentials in a script file to pass them into a script?
great question @shyinylu the answer depends on your tools and skills. 1. You can use PowerShell as an automated task like I showed. 2. Azure Automation Account running a PowerShell Runbook 3. Azure DevOps with a Pipeline with trigger you can also store those admin creds in Azure KeyVault so you don't have to type them in and they are stored securely
great question...in the Classic model of WVD...YES, in the ARM model not yet. It was working but we found some issues in the code so it in being updated ...should be available soon
@@AzureAcademy Thank you for your answer. Do you have some "how to" docs for the classic? When I look back at the above video I don't understand how I can apply it in the WVD classic environment.
WVD depends on Azure AD for the type of logins So if you setup things as I showed today it should just work in WVD classic. If you have all of that and it isn't working you may need ADFS...I will look for the info and post it if I can find it.
The K8Series is something I am working on with Phil Gibson who did our Open Service Mesh video, He has been tied up with other things due ti Ignite...I am hoping to sync with him to get more on AKS very soon...but I am sure there will be a DevOps tie in...stay tuned!
This is a browser policy when you access a site that is in this single site zone. This policy setting allows you to manage whether script is allowed to update the status bar within the zone. It is needed for SSO to do everything it needs to function
Can you, when ready, do a video on the new Azure AD Cloud provisioning Agent? I'm curious to see how that works and if it's intended to augment or replace the ADConnect application we install now. Thanks!
There is no method in Azure AD that will give you SSO in AADDS, however…I’m not sure this will work because you have limited GPO control in AADDS, but you may be able to use GPO to make it work for applications Watch this video at 4:35 The other method is for SSO to get onto a VM you could use Azure AD credentials for that Watch this 👉 ua-cam.com/video/rUwmkLreb08/v-deo.html
Hello Dean, I hope you are doing well. I'm not sure whether anything has changed on the single sign on when it comes to the local applications, such as outlook, teams, onedrive, etc, when utilizing Azure AD Connect on an AVD Environment. I reviewed the Entra Seamless SSO, on the key features it outlines the following: Great user experience Users are automatically signed into both on-premises and cloud-based applications. Users don't have to enter their passwords repeatedly. I'm thinking this may work for the local apps, or not sure what "on-premises" may be referring to. Looking to review options on this to provide a more efficient experience when setting up users on the environments, as well as ongoing management.
very cool! As a cloud only group you still have to choose if you will have a "traditional domain controller" running on a VM in the cloud or if you will use Azure AD Domain Services. Here is my Azure AD DS video so you can see what it looks like - ua-cam.com/video/Uayv69FZlyI/v-deo.html
Outlook does NOT get identity that way. To SSO with Office, you need a GPO to tell the office apps that they are part of m365 and have a tenant assigned
Great video as usual, thank you. One thing I'd really like you to bring your expertise and clarity to is SAML for single sign-on please - a subject that still confuses me. Cheers.
Great video. Can you please shed some light on the registry addition? I've done the GPO steps but this is the first time I've seen the registry component. How does that fit in?
it is in the official docs - docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#step-3-roll-out-the-feature and I have always added it when I setup SSO... I believe it enables the SSO magic on https sites
@@AzureAcademy I was also wondering about the registry addition. If you look into the docs you linked here, they say "There are two ways to modify users' Intranet zone settings: ..." - Option 1 (GPO): Users cannot modify their own settings and Option 2: Users can modify their own settings - I just rolled out the GPO without the registry key and had no issues with SSO - docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#why-do-you-need-to-modify-users-intranet-zone-settings
Thank you @Viggo the reason Depends on how you choose to manage GPOs in your environment For me, I want to manage fewer policies rather than have 1 GPO per type, item or section. there are advantages to both so which is right for you?
Thanks for a great video. I tried the above in my environment but this did not work. I have setup password hash sync with SSO enabled. To test it rather than create a Group policy on the domain, I modified the local policy on the computer and created the registry entry. After this I was still getting prompted to use my credentials. Am I missing something? Your help would be much appreciated.
the PC you are testing from needs to be joined to your domain and needs to be able to "talk" to the domain controller to perform the token exchange. I have NOT tried this with a local policy because I want to manage everything as centrally as possible...but I assume that it should have the same effect. Does the Azure Portal show that you have setup SSO for your domain? try the kerberos key roll over to reset. If still not working I would remove it and reset it, then try again.
Hi, Love the video, am looking at implementing SSO via Azure AD connect for enterprise applications for office 365, MS Teams, Sharepoint, Outlook, Onedrive. Currently using adfs farm and moving datacentres. Am looking to move SSO to Azure in a simple manner and remove adfs. To change the way domain users sign-on do I just run Azure AD Connect and follow instructions in this video and select 'Passthrough with Single Sign-on' and add multiple agents for HA on all domain controllers and remove private & public dns records referencing adfs farm. Please Would Passthrough work for remote users that are connecting to the Lan via ssl-vpn?, if yes what happens if they are not, what solution if the user is not connected to ssl-vpn? Awaiting your good response.
In general yes… However because you have a DFS in your environment using SS so I would look at exactly what a DFS is doing to be sure that all of those will work then make your cut over
@@AzureAcademy Thank you for your response, How do I find out the cloud applications that are being used in adfs for SSO? Also I looked into this further and my organisation is using password hash in AAD Connector & adfs for Microsoft 365 apps - E3, E5 licenses but not sure of any other cloud apps being used, so I believe i just need to use password hash & SSO, i need to re-run AAD Connector & set the settings & have a secondary AAD Connector as staging mode. To do an initial test I would add a testing group in Azure AD as staged roll-out and see if this work in the LAN & SSL-VPN. do I need to do any other configuration for users e.g. Browser & Registry settings or is this just for using Passthrough & SSO requirement. Please Advise. Merry Xmas.
+office 2crazy pass through will send authentication requests when you sign into Azure to your domain controller, it doesn’t matter if they are on your VPN or not.
Thank you sir for video. We have application hosted in azure VM and have requirement to do SSO for that application in VM. please can you let me know how can we do it ? please provide any reference ?
@@AzureAcademy Hi Thanks for reply. First of all i am bit confused if SSO configuration for application in azure VM is possible or not. User will access application from out side of VM. application is completely in cloud VM (no onprem). please advise.
I think you may be confusing this feature with something else. This is a single sign on with Azure AD and Active Directory. There is another feature that allows you to sign in from an Azure AD Joined laptop to an Azure VM USING ONLY AZURE AD watch this and tell me if this is what you are looking for ua-cam.com/video/rUwmkLreb08/v-deo.html
Thank you John for your feedback. I do try to make sure that the url, if it is important is in the video description so you can easily get to it. So thank you for helping me to improve, very appreciated.
they are only kinda changing it...Removing the non-cloud stuff and going all in on Azure. So look for the AZ exams in general and also for specialties.
Excelllent video - quick yet detailed ! Other SSO video's seem to imply all you got to do is run AD Connect ... click -click ..& thats it - job done! 👍
Yup there is a lot that goes into it ☺️👍
9:07 I am already familiar with all of this Kerberos rollover but how do you actually automate it? Is there any other way of doing so beside storing the actual domain admin and global admin credentials in a script file to pass them into a script?
great question @shyinylu the answer depends on your tools and skills.
1. You can use PowerShell as an automated task like I showed.
2. Azure Automation Account running a PowerShell Runbook
3. Azure DevOps with a Pipeline with trigger
you can also store those admin creds in Azure KeyVault so you don't have to type them in and they are stored securely
Is it possible to connect sso in a wvd with aads?
great question...in the Classic model of WVD...YES, in the ARM model not yet.
It was working but we found some issues in the code so it in being updated ...should be available soon
@@AzureAcademy Thank you for your answer.
Do you have some "how to" docs for the classic?
When I look back at the above video I don't understand how I can apply it in the WVD classic environment.
WVD depends on Azure AD for the type of logins So if you setup things as I showed today it should just work in WVD classic. If you have all of that and it isn't working you may need ADFS...I will look for the info and post it if I can find it.
Amazing work, thank you so much.
Could you please if possible make a series of azure Devops
thanks @Hussein we have a DevOps series in the works now...stay tuned
@@AzureAcademy We are also waiting for the Kubernetes series 😛. I am guessing that would be a part of devops series?
The K8Series is something I am working on with Phil Gibson who did our Open Service Mesh video, He has been tied up with other things due ti Ignite...I am hoping to sync with him to get more on AKS very soon...but I am sure there will be a DevOps tie in...stay tuned!
what does the GPO setting "Allow updates to status bar via script" do exactly and why is it needed?
Where did you see that?
@@AzureAcademy In your video itself at 05:25 mins
@@AzureAcademy also, what's the use and need for the registry shown in your video at 05:32 mins
This is a browser policy when you access a site that is in this single site zone.
This policy setting allows you to manage whether script is allowed to update the status bar within the zone.
It is needed for SSO to do everything it needs to function
The registry setting enables SSO over SSL
Can you, when ready, do a video on the new Azure AD Cloud provisioning Agent? I'm curious to see how that works and if it's intended to augment or replace the ADConnect application we install now. Thanks!
I will take a look at it...stay tuned!
Simply learned hard topics. You're the perfect presenter loved it. subscribed ❤❤❤
Thanks very much! 👍☺️😎
How to enable SSO for AAD & AADDS in Azure Cloud VM?
i don't have AD outside or inside the cloud nor any sync app.
There is no method in Azure AD that will give you SSO in AADDS, however…I’m not sure this will work because you have limited GPO control in AADDS, but you may be able to use GPO to make it work for applications
Watch this video at 4:35
The other method is for SSO to get onto a VM you could use Azure AD credentials for that
Watch this 👉 ua-cam.com/video/rUwmkLreb08/v-deo.html
Excellent content and please do some videos on Azure AD application proxy basics and working on different SSO.
That is 4 votes for Azure AD App Proxy...I'm working on it...stay tuned!
A great use case for implementing SSO is no auth prompt for M365 Apps within your WVD session hosts.
Thanks Frank! Do you have a link to the M365 side of that setup process?
Hello Dean, I hope you are doing well. I'm not sure whether anything has changed on the single sign on when it comes to the local applications, such as outlook, teams, onedrive, etc, when utilizing Azure AD Connect on an AVD Environment. I reviewed the Entra Seamless SSO, on the key features it outlines the following:
Great user experience
Users are automatically signed into both on-premises and cloud-based applications.
Users don't have to enter their passwords repeatedly.
I'm thinking this may work for the local apps, or not sure what "on-premises" may be referring to. Looking to review options on this to provide a more efficient experience when setting up users on the environments, as well as ongoing management.
For AVD there are different SSO options and methods. Watch this ua-cam.com/video/_PrgdDH1oB4/v-deo.htmlsi=zG-NoJI5VxbxwdUF
Hi Sir,
Can you help us with WVD with only Cloud only setup and all such with only cloud-only setup as we are startup
very cool! As a cloud only group you still have to choose if you will have a "traditional domain controller" running on a VM in the cloud or if you will use Azure AD Domain Services.
Here is my Azure AD DS video so you can see what it looks like - ua-cam.com/video/Uayv69FZlyI/v-deo.html
Excellent explanation. Thank you!
Awesome
When SSO enabled, is Outlook going to ask for a password when it's launched for the first time? Or it takes the identity from the Windows login?
Outlook does NOT get identity that way. To SSO with Office, you need a GPO to tell the office apps that they are part of m365 and have a tenant assigned
@@AzureAcademy Thank you!
👍☺️
great stuff, thanks for the videos!
Thanks for watching @Catsten Please let me know what else you are interested in...so I can make that video for you!
This is a nice content. Subscribed !
Awesome! Please share The Azure Academy with others!
Great video as usual, thank you. One thing I'd really like you to bring your expertise and clarity to is SAML for single sign-on please - a subject that still confuses me. Cheers.
thanks @Richard...can you clarify for me what I can clarify for you 😁😜
can you be specific on the scenario you want me to show?
Great video. Can you please shed some light on the registry addition? I've done the GPO steps but this is the first time I've seen the registry component. How does that fit in?
it is in the official docs - docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#step-3-roll-out-the-feature and I have always added it when I setup SSO...
I believe it enables the SSO magic on https sites
@@AzureAcademy I think that last option is an either/or between the registry option vs GPO. I don't think it's a 3rd step...from what I can tell.
not totally sure @Seth...I will ask the Azure AD Team and get back to you
@@AzureAcademy I was also wondering about the registry addition. If you look into the docs you linked here, they say "There are two ways to modify users' Intranet zone settings: ..." - Option 1 (GPO): Users cannot modify their own settings and Option 2: Users can modify their own settings - I just rolled out the GPO without the registry key and had no issues with SSO - docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#why-do-you-need-to-modify-users-intranet-zone-settings
I have always used the reg entry...but I prefer to do it with GPO so I can centrally manage it.
Great video! But why did you do the "Group policy" and the "Group policy preference" (Adding the Registry item in the same GPO?).
Thank you @Viggo the reason Depends on how you choose to manage GPOs in your environment
For me, I want to manage fewer policies rather than have 1 GPO per type, item or section.
there are advantages to both so which is right for you?
Appreciate. Awesome video. Can u please do azure app proxy video
Thank you for watching and for the suggestion...I will start working on it...stay tuned!
Very impressive. Thanks for sharing
Thank you! Let me know what other videos you are interested in me creating, Cheers!
Thanks for a great video. I tried the above in my environment but this did not work. I have setup password hash sync with SSO enabled. To test it rather than create a Group policy on the domain, I modified the local policy on the computer and created the registry entry. After this I was still getting prompted to use my credentials. Am I missing something? Your help would be much appreciated.
the PC you are testing from needs to be joined to your domain and needs to be able to "talk" to the domain controller to perform the token exchange. I have NOT tried this with a local policy because I want to manage everything as centrally as possible...but I assume that it should have the same effect. Does the Azure Portal show that you have setup SSO for your domain? try the kerberos key roll over to reset. If still not working I would remove it and reset it, then try again.
Good job
thanks! let me know what other videos you are interested in...I am always looking for new ideas!
Can you do a video on ,
Add an on-premises application for remote access through Application Proxy in Azure Active Directory
I have had a few requests for App Proxy...It is on the backlog...thanks!
Hi, Love the video, am looking at implementing SSO via Azure AD connect for enterprise applications for office 365, MS Teams, Sharepoint, Outlook, Onedrive. Currently using adfs farm and moving datacentres. Am looking to move SSO to Azure in a simple manner and remove adfs.
To change the way domain users sign-on do I just run Azure AD Connect and follow instructions in this video and select 'Passthrough with Single Sign-on' and add multiple agents for HA on all domain controllers and remove private & public dns records referencing adfs farm. Please
Would Passthrough work for remote users that are connecting to the Lan via ssl-vpn?, if yes what happens if they are not, what solution if the user is not connected to ssl-vpn?
Awaiting your good response.
In general yes… However because you have a DFS in your environment using SS so I would look at exactly what a DFS is doing to be sure that all of those will work then make your cut over
@@AzureAcademy
Thank you for your response,
How do I find out the cloud applications that are being used in adfs for SSO?
Also I looked into this further and my organisation is using password hash in AAD Connector & adfs for Microsoft 365 apps - E3, E5 licenses but not sure of any other cloud apps being used, so I believe i just need to use password hash & SSO, i need to re-run AAD Connector & set the settings & have a secondary AAD Connector as staging mode.
To do an initial test I would add a testing group in Azure AD as staged roll-out and see if this work in the LAN & SSL-VPN.
do I need to do any other configuration for users e.g. Browser & Registry settings or is this just for using Passthrough & SSO requirement.
Please Advise.
Merry Xmas.
+office 2crazy pass through will send authentication requests when you sign into Azure to your domain controller, it doesn’t matter if they are on your VPN or not.
Thank you sir for video. We have application hosted in azure VM and have requirement to do SSO for that application in VM. please can you let me know how can we do it ? please provide any reference ?
If the VM needs SSO then…how are you logging into the VM? Is the account a local account, AD account of Azure AD Account?
@@AzureAcademy Hi Thanks for reply. First of all i am bit confused if SSO configuration for application in azure VM is possible or not.
User will access application from out side of VM. application is completely in cloud VM (no onprem). please advise.
I think you may be confusing this feature with something else.
This is a single sign on with Azure AD and Active Directory.
There is another feature that allows you to sign in from an Azure AD Joined laptop to an Azure VM USING ONLY AZURE AD watch this and tell me if this is what you are looking for
ua-cam.com/video/rUwmkLreb08/v-deo.html
Great content. However could I suggest you remove the "Azure Academy" banner in the top left corner. It often blocks important detail.
Thank you John for your feedback. I do try to make sure that the url, if it is important is in the video description so you can easily get to it. So thank you for helping me to improve, very appreciated.
nice video
Thanks for the visit...let me know what other videos you are interested in
@@AzureAcademy I would really like to know new pathway to certification with azure as Microsoft is changing it?
they are only kinda changing it...Removing the non-cloud stuff and going all in on Azure. So look for the AZ exams in general and also for specialties.
@@AzureAcademy Are Microsoft changing the azure certification to role based azure certs
I think that is correct to say.