Great content in all your videos I've watched so far. Would love a follow up vid on sso that covers enterprise applications, app registration and using sso with third party sites.
You know, to be honest, I meant to include that at the end of this video. However, I produced the video and I realised that I forgot to do it 😳 so yes is the answer. I will follow up this video with that in due course.
Probably the best explanations available, I watched a video on SSO from the king of Computer Networking Mr.David Bombal and it was just one of a kind awesome and this one from Mr.Andy Malone is just another awesome one
The easiest way to do this for a single user is create a cloud account. Then do a school and work place join in windows 11 and login with your Microsoft Azure ID account. That’s it! That’s single sign on
Andy (et all), what is the best community, (preferably FB or another gui app), to share ideas, ask questions, and learn from each other, (aside from reddit)? I'm part of a very small group of 3 Sysadmins, we are essentially an MSP, and I feel we're quite behind in some areas. Your videos are helping! :)
Hi Andy. Your explanations are very well thought out and easy to understand. I have a question related to SSO within the cloud. I am wondering how to configure SSO if I have everything in the cloud. that is, Azure AD and Azure virtual desktops. I need to ensure that the user who connects using remote desktop is not asked for a password when trying to open Outlook. Is it possible to configure, and do I need for that Azure AD connect tool, or it should be done in other way?
@@AndyMaloneMVP I think this happened because the option with AD was initially chosen and not Azur AD when creating virtual machines. After I tried to add an extension for Azur AD, but I couldn’t transfer the virtual machine from AD to Azur AD. So now I am wondering how can I do that?
Hi Andy, In a coorporate setup with almost 1000 users, would you prefer to use Password Hash or Passthrough? For Passthrough we would need at least 2 passthrough servers with the agent installed. For Password Hash we would just need AZure AD Connect.. Why choose one or the other?? Thanks for all your great demo, I watch almost all of them for a long time now :)
Thanks for an excellent walk-though. With this configuration, if MFA is enabled in Azure AD, is the user prompted for a second auth method at Windows login?
Hi Andy, thank you for the information. we company now get rid of the AD server and migrated all users/computers to Azure AD environment now. So, how I can set to use the single sign-on? is it possible for SSO without local AD and AD Connect?
Dear Sir. Thank you for your great videos. At the UPN page I can see your having both local admin and azure ID. However, in my test VM I followed your steps from this and find only local admin ID but not the Azure ID. Did twice with same results. What do you think I am doing wrong Sir. I continued still and the SSO doesn't work.
Are you on a Windows client machine or a Windows server? If it’s a Windows client machine you simply have to do a school and workplace join. Ensure that you join Azure active directory. If it’s a server. Then you have to have two main admin rights. You would then need to deployAzure AD connect. I have a number of other videos in my playlist that you might help in identity. The UPN or use the principle name refers to the domain name that you’re using. In my demo I’m just using an internal on microsoft.com domain name. In reality, however, you would have registered your own domain name. I hope this helps and for more information I will check out docs.microsoft.com or visit the Microsoft tech community for further support and reading. Thanks for watching and all the best, Andy.
It’s normal behaviour. When you first sync users from active directory, it disables them and they sync in unlicensed. You would need assign a license to users and then enable the accounts. Like I said this is normal behaviour. Do remember that the tenant I am working on is for demo purposes and Microsoft have only given me a limited number of licenses to demonstrate. However, well noticed and I’m glad you enjoyed the video. Thanks again.
Very helpful video, thanks a lot! Should this also work with AzureAD Cloud Sync? I've tested (local domain user account which is synced to AzureAD) on a domain joined W10. When opening any local Office software like Word, Excel, Outlook, Teams it's asking for user name and password. What needs to be done to make this work without entering user name and password?
@@AndyMaloneMVP Does this mean that Azure AD Cloud Sync can't be used if we want to have the user being automatically signed in into Word, Excel, Outlook, Teams etc?
Hello and thanks for the tutorial. I am struggling to get SSO to work on my domain, but it does not. My local domain name is different from Azure domain name. Maybe this is the issue? Does the local domain name needs to be verified in Azure AD/Custom domains?
In most cases, DNS is the problem here. Check out learn.microsoft.com and look through the DNS articles and videos for single sign on. Good luck and I wish you well.
Hi Andy, .. great content ! - What if you have all your users in Azure AD and want to add a local server. Can the Azure AD users be syncronized to the local server, so you can share folders on the local server with selected users from the Azure AD?
My question to you is what is on the server? If it’s files, why don’t you just migrate them to SharePoint document libraries, or OneDrive for business. It’s an app you could use a web proxy to gain access to the application. Either way don’t look back in terms of technology look for a way forward. That’s my advice, thanks again.
@@AndyMaloneMVP Thanks for you answer, and of course you are right a full migration to Sharepoint/Onedrive is by far the best solution. The problem is that we still have a number og customers that run older accounting systems (Navision, C5, Komit,..) and other “old-school” Server-based software. I’m sure these systems will eventually be migrated cloud-based solution, but until then it would be nice to be able to join a MS Server 2022/19 to AzureAD (like you join WIN10/11) and then share folders with users from the AzureAD.
@@peterkorsbjerg1557 lets hope so, Peter. You can always migrate the data to SharePoint a map of network drive to the content. That would remove the need for fileservers on premises and would ensure that the data is always available. Just an idea 😊
@@AndyMaloneMVP @Peter Korsbjerg I would move all staff files to Sharepoint and map drives but for the support of applications I would create a local/Azure server with terminal services and run their legacy apps from that. You setup a RDP gateway and the option of full RDP or a remote App (Just the application) You then either edit the file that this process creates to pass through the local user's mapped drives or map the drives when they log on to the TS server session.
Hi, and apologize if you already mentioned this in the video, in under 2min and but wanted to ask. When we are already logged into soo, using front end. If the front end hits a service of the backend.. are we passing user info into the backend? I’m asking bec I would like to lean like who initiated the call
Think about when you log into a website and it asks you if you want to use your Microsoft credentials. You say yes. If show what attributes its accessing. I.e email address, name etc. it’s the same principle with an app. If it’s setup to accept your SSO then it will pass the request through. 👍😊
@@AndyMaloneMVP I’m a bit new, so just a follow up..sort of. Let’s say I have a front end. (Say. Angular) then a Java backend, rest api. If user is already logged in, and clicks a button (to call the api)… how can I pass the username to the backend? Is that thru header? So the backend would know. Apologies if my question doesn’t make much sense, thank you for replying btw
PTA is safer from a cloud security standpoint, it just hands the authentication/authorization and doesn't leave any type of passwords hash in the cloud, unlike PHS.
I would have to say no actually. From a security perspective password Hash sync has numerous advantages in that passwords are never replicated. You can also do full SSO with password hash sync now as well. Both of course are really designed for domain joined clients. Personally I see this rather backward looking, and I would honestly go for hybrid users with device is connected to Azure AD directly.
@@AndyMaloneMVP I think Microsoft has realized that on-premises AD is still going to stay with us... for a long time. That's why they have refined this "rather backward looking" functionalities.
Hello Andy Malone, could you please help me or provide any resources on how we can implement Single Sign On in django(django-simple-sso) for multiple apps...thank you...
I recorded a video on RUclips on replying applications in Azure AD check it out. Also, docs.microsoft.com is a great resource for this type of question. If I get an opportunity yes I’ll do a video for you. It’s pretty simple though and it’s quite easy to understand. Go into enterprise applications, select an application and look at the single sign-on tab. There are also links to learning documents, and videos here as well. What works with one will typically work with all. Good luck.
@@AndyMaloneMVP thank you for the info...actually I haven't ffound any video for sso in django and all apps residing on django admin page itself, so when you have time please try to make a video if possible...thanks again...
Hello @@AndyMaloneMVP I did setup sso with the info I have and right now I am facing with csrf cookie error...The flow is like -->client will send a req to server app server will have to generate a token at first login of the client app and return the token to the client but the server is giving 403 response with error txt csrf cookie not set, so I tried with csrf excempt on server but couldn't fix it, any idea on this plss let me know...thank you...
@@sbito_007 great question, however, that’s bordering on consulting. I would submit your question to the Microsoft tech community. I think it’s your best way forward. Thanks again and all the best
two questions: with a local domain - you join each pc/laptop to the domain using an Admin account, then the users can login to these pc/laptops using their domain-user accounts. Q1: - what if you don't have a local domain? - what if you have a company with 100 users, and only have a laptop for each of them, and only have Microsoft 365 business pre & internet access - your domain is now: Azure AD - what Admin account would you use to join these laptops to Azure AD? - Do you even need an Admin account to join them to Azure AD? & Can anyone user use another user laptop with his/her Azure AD account? (As in One-to-Many) Q2: -
Azure AD! You've already got full SSO. Join your users and devices directly to Azure AD. You will need Business premium if you want to manage them with Intune / Endpoint Manager though.
Hi Andy You are a superstar I have a question, I am adding 365 email manually to outlook I select POP3, then enter the outgoing and incoming server But when click on test, it fails Do I need to update some settings for admin portal
Oh god don’t add pop3. Add exchange mail. Add user name and password. Outlook will do the rest. (Assuming you put the correct CNAME or alias name to point to outlook.com . Here’s an article learn.microsoft.com/en-us/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider?view=o365-worldwide
@@AndyMaloneMVP i have client who want to add email through POP3 I tried to add it manually but it's not working Email connection for IMAP, pop is enabled Also in Azure ad , properties,manage security, security is not enabled Not sure why I am not able add 365 email manually
@@tattipaishaab1854 pop3 is a legacy protocol that is being turned off and will not be supported by m365 as it does not support multi factor authentication.
Great content in all your videos I've watched so far. Would love a follow up vid on sso that covers enterprise applications, app registration and using sso with third party sites.
You know, to be honest, I meant to include that at the end of this video. However, I produced the video and I realised that I forgot to do it 😳 so yes is the answer. I will follow up this video with that in due course.
Probably the best explanations available, I watched a video on SSO from the king of Computer Networking Mr.David Bombal and it was just one of a kind awesome and this one from Mr.Andy Malone is just another awesome one
Glad it was helpful!
Dear Mr. Malone, You're the tops. Thank you again.
I wish I could get SSon as a single user.
Respectfully, NHG
The easiest way to do this for a single user is create a cloud account. Then do a school and work place join in windows 11 and login with your Microsoft Azure ID account. That’s it! That’s single sign on
Hi Andy, You are awesome.
Aw thanks so much😊
wow, it's one of the best explanations I've seen so far!
great channel, with structualized content
Discovered you earlier today. I've already learned a few things from your videos! Thanks so much!!
You’re very welcome. And great to have you on board 👍
Great Video presentation Andy
You're the best Andy. Thank you
YESSSSSS - I love it. Thanks Andy
Andy (et all), what is the best community, (preferably FB or another gui app), to share ideas, ask questions, and learn from each other, (aside from reddit)? I'm part of a very small group of 3 Sysadmins, we are essentially an MSP, and I feel we're quite behind in some areas. Your videos are helping! :)
Thanks for your kind words and I’m delighted but my channel is of help for you 👍
Thank you for efforts and for your availability
Hi Andy. Your explanations are very well thought out and easy to understand. I have a question related to SSO within the cloud. I am wondering how to configure SSO if I have everything in the cloud. that is, Azure AD and Azure virtual desktops. I need to ensure that the user who connects using remote desktop is not asked for a password when trying to open Outlook. Is it possible to configure, and do I need for that Azure AD connect tool, or it should be done in other way?
Users simply login with there MS 365 account. They're already in SSO.
@@AndyMaloneMVP I think this happened because the option with AD was initially chosen and not Azur AD when creating virtual machines. After I tried to add an extension for Azur AD, but I couldn’t transfer the virtual machine from AD to Azur AD. So now I am wondering how can I do that?
@@levonmusic4086 reset the machine and remove it from AD
Great vid Andy, you rock!
Thank you Andy! Very good exploitation and frustrating that Transdev were I work for is using ADFS.
Glad it was helpful!
awesome stuff.
Do we need to run multiple instances of AD Connect if we are an Enterprise customer spanning globally.
Generally no, but you may wish to consider using MIM or Microsoft Identity Manager.
Hi Andy, In a coorporate setup with almost 1000 users, would you prefer to use Password Hash or Passthrough? For Passthrough we would need at least 2 passthrough servers with the agent installed. For Password Hash we would just need AZure AD Connect.. Why choose one or the other?? Thanks for all your great demo, I watch almost all of them for a long time now :)
Azure AD connect Cloud Sync now supports the install of multiple agents that support both PHS & PTA + SSO 😊👍
Thanks for an excellent walk-though. With this configuration, if MFA is enabled in Azure AD, is the user prompted for a second auth method at Windows login?
Windows hello, would take care of that
@@AndyMaloneMVP Thanks Andy!
Hi Andy, thank you for the information.
we company now get rid of the AD server and migrated all users/computers to Azure AD environment now. So, how I can set to use the single sign-on? is it possible for SSO without local AD and AD Connect?
I’m nice you authenticate to Azure AD you’re already using SSO. Ensure that your windows 11 machines are school & workplace joined to Azure AD👍
Dear Sir. Thank you for your great videos.
At the UPN page I can see your having both local admin and azure ID. However, in my test VM I followed your steps from this and find only local admin ID but not the Azure ID. Did twice with same results. What do you think I am doing wrong Sir. I continued still and the SSO doesn't work.
Are you on a Windows client machine or a Windows server? If it’s a Windows client machine you simply have to do a school and workplace join. Ensure that you join Azure active directory. If it’s a server. Then you have to have two main admin rights. You would then need to deployAzure AD connect. I have a number of other videos in my playlist that you might help in identity. The UPN or use the principle name refers to the domain name that you’re using. In my demo I’m just using an internal on microsoft.com domain name. In reality, however, you would have registered your own domain name. I hope this helps and for more information I will check out docs.microsoft.com or visit the Microsoft tech community for further support and reading. Thanks for watching and all the best, Andy.
Hi.
15:02 - please tell, why all your AD users are disabled? This would be a catastrophe in real production environment. :)
Regards,
Andrej
It’s normal behaviour. When you first sync users from active directory, it disables them and they sync in unlicensed. You would need assign a license to users and then enable the accounts. Like I said this is normal behaviour. Do remember that the tenant I am working on is for demo purposes and Microsoft have only given me a limited number of licenses to demonstrate. However, well noticed and I’m glad you enjoyed the video. Thanks again.
Maybe I am blind, but where is the answer to the main question: How does SSO work?
I think you missed it. Which is strange as it’s all there👍
Thanks very much and great explanation..!!!
Very helpful video, thanks a lot!
Should this also work with AzureAD Cloud Sync? I've tested (local domain user account which is synced to AzureAD) on a domain joined W10. When opening any local Office software like Word, Excel, Outlook, Teams it's asking for user name and password. What needs to be done to make this work without entering user name and password?
Azure AD cloud sync only supports password Hash sync at the moment. However, if necessary, it can be upgraded to Azure AD connect.
@@AndyMaloneMVP Does this mean that Azure AD Cloud Sync can't be used if we want to have the user being automatically signed in into Word, Excel, Outlook, Teams etc?
@@sersn3288 It'll work 🙂
Is there a possibility to explain migrating SSO flows on the NAM to Azure?
I’ll add it to my list
Hello and thanks for the tutorial. I am struggling to get SSO to work on my domain, but it does not. My local domain name is different from Azure domain name. Maybe this is the issue? Does the local domain name needs to be verified in Azure AD/Custom domains?
In most cases, DNS is the problem here. Check out learn.microsoft.com and look through the DNS articles and videos for single sign on. Good luck and I wish you well.
Hi Andy, .. great content ! - What if you have all your users in Azure AD and want to add a local server. Can the Azure AD users be syncronized to the local server, so you can share folders on the local server with selected users from the Azure AD?
My question to you is what is on the server? If it’s files, why don’t you just migrate them to SharePoint document libraries, or OneDrive for business. It’s an app you could use a web proxy to gain access to the application. Either way don’t look back in terms of technology look for a way forward. That’s my advice, thanks again.
@@AndyMaloneMVP Thanks for you answer, and of course you are right a full migration to Sharepoint/Onedrive is by far the best solution. The problem is that we still have a number og customers that run older accounting systems (Navision, C5, Komit,..) and other “old-school” Server-based software. I’m sure these systems will eventually be migrated cloud-based solution, but until then it would be nice to be able to join a MS Server 2022/19 to AzureAD (like you join WIN10/11) and then share folders with users from the AzureAD.
@@peterkorsbjerg1557 lets hope so, Peter. You can always migrate the data to SharePoint a map of network drive to the content. That would remove the need for fileservers on premises and would ensure that the data is always available. Just an idea 😊
@@AndyMaloneMVP @Peter Korsbjerg I would move all staff files to Sharepoint and map drives but for the support of applications I would create a local/Azure server with terminal services and run their legacy apps from that. You setup a RDP gateway and the option of full RDP or a remote App (Just the application) You then either edit the file that this process creates to pass through the local user's mapped drives or map the drives when they log on to the TS server session.
Hi, and apologize if you already mentioned this in the video, in under 2min and but wanted to ask. When we are already logged into soo, using front end. If the front end hits a service of the backend.. are we passing user info into the backend?
I’m asking bec I would like to lean like who initiated the call
Think about when you log into a website and it asks you if you want to use your Microsoft credentials. You say yes. If show what attributes its accessing. I.e email address, name etc. it’s the same principle with an app. If it’s setup to accept your SSO then it will pass the request through. 👍😊
@@AndyMaloneMVP I’m a bit new, so just a follow up..sort of.
Let’s say I have a front end. (Say. Angular) then a Java backend, rest api.
If user is already logged in, and clicks a button (to call the api)… how can I pass the username to the backend? Is that thru header?
So the backend would know.
Apologies if my question doesn’t make much sense, thank you for replying btw
@@Cons2911 sorry I’m not a dev so I can’t help here. Check out learn.Microsoft.com or support.Microsoft.com
@@AndyMaloneMVP oh ok, no worries sir. I do appreciate the time. Thanks
Love your content.
Any advantage to PTA over PHS? What scenario would govern each one?
PTA is safer from a cloud security standpoint, it just hands the authentication/authorization and doesn't leave any type of passwords hash in the cloud, unlike PHS.
I would have to say no actually. From a security perspective password Hash sync has numerous advantages in that passwords are never replicated. You can also do full SSO with password hash sync now as well. Both of course are really designed for domain joined clients. Personally I see this rather backward looking, and I would honestly go for hybrid users with device is connected to Azure AD directly.
@@AndyMaloneMVP thanks for the reply. We have hybrid users and hybrid joined devices so Seemless SSO + PHS feels like the way to go.
@@sireharvey absolutely this worked perfectly as well 😊
@@AndyMaloneMVP I think Microsoft has realized that on-premises AD is still going to stay with us... for a long time. That's why they have refined this "rather backward looking" functionalities.
Hi, we supply a SaaS product working with multiple companies. Can you work this solution with multiple on Prem AD?
Surely, you would be in a better position to answer this question, as I don’t know your product.😊
Hello Andy Malone, could you please help me or provide any resources on how we can implement Single Sign On in django(django-simple-sso) for multiple apps...thank you...
I recorded a video on RUclips on replying applications in Azure AD check it out. Also, docs.microsoft.com is a great resource for this type of question. If I get an opportunity yes I’ll do a video for you. It’s pretty simple though and it’s quite easy to understand. Go into enterprise applications, select an application and look at the single sign-on tab. There are also links to learning documents, and videos here as well. What works with one will typically work with all. Good luck.
@@AndyMaloneMVP thank you for the info...actually I haven't ffound any video for sso in django and all apps residing on django admin page itself, so when you have time please try to make a video if possible...thanks again...
@@sbito_007 Check out docs.microsoft.com this is the main source of info here 🙂
Hello @@AndyMaloneMVP I did setup sso with the info I have and right now I am facing with csrf cookie error...The flow is like -->client will send a req to server app server will have to generate a token at first login of the client app and return the token to the client but the server is giving 403 response with error txt csrf cookie not set, so I tried with csrf excempt on server but couldn't fix it, any idea on this plss let me know...thank you...
@@sbito_007 great question, however, that’s bordering on consulting. I would submit your question to the Microsoft tech community. I think it’s your best way forward. Thanks again and all the best
Great Video thank you
Thanks 👍
two questions:
with a local domain - you join each pc/laptop to the domain using an Admin account, then the users can login to these pc/laptops using their domain-user accounts.
Q1:
- what if you don't have a local domain?
- what if you have a company with 100 users, and only have a laptop for each of them, and only have Microsoft 365 business pre & internet access
- your domain is now: Azure AD
- what Admin account would you use to join these laptops to Azure AD?
- Do you even need an Admin account to join them to Azure AD? & Can anyone user use another user laptop with his/her Azure AD account? (As in One-to-Many)
Q2:
-
Azure AD! You've already got full SSO. Join your users and devices directly to Azure AD. You will need Business premium if you want to manage them with Intune / Endpoint Manager though.
Hi Andy
You are a superstar
I have a question, I am adding 365 email manually to outlook
I select POP3, then enter the outgoing and incoming server
But when click on test, it fails
Do I need to update some settings for admin portal
Oh god don’t add pop3. Add exchange mail. Add user name and password. Outlook will do the rest. (Assuming you put the correct CNAME or alias name to point to outlook.com . Here’s an article learn.microsoft.com/en-us/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider?view=o365-worldwide
@@AndyMaloneMVP i have client who want to add email through POP3
I tried to add it manually but it's not working
Email connection for IMAP, pop is enabled
Also in Azure ad , properties,manage security, security is not enabled
Not sure why I am not able add 365 email manually
@@tattipaishaab1854 pop3 is a legacy protocol that is being turned off and will not be supported by m365 as it does not support multi factor authentication.
@@AndyMaloneMVP thanks a lot again
Alwys helpful.tx
Thanks
thx