by Kevin Griffith
Technical Account Manager, E-N Computers
4+ years providing IT strategy and IT support
Once your users are synchronized to Microsoft 365, they’ll be able to log in with the same username and password that they use at work. But, to make things even easier for your users, you can enable Seamless Single Sign-On (SSO). Seamless SSO automatically signs users into Microsoft 365 using their on-prem Active Directory credentials, meaning that they won’t be repeatedly asked for their password by Microsoft 365 once they’ve signed in to their work computer.
To enable SSO, you’ll need to have set up Entra Connect and synchronized your users to Microsoft 365, either using Password Hash Sync or Pass Through-Authentication. Once that’s set up, though, it’s just a few quick steps to enable SSO and make life easy for your users.
Activate Single Sign-On for Microsoft 365
Log on to your Entra Connect sync server and open Entra Connect. Click Change User Sign-in, then click Next. Continue clicking Next until you reach the “Enable single sign-on” page. From there, you’ll need to provide domain admin credentials for your local AD domain in order to enable SSO (don’t worry — the credentials aren’t stored, they’re only used for the setup process).
After you’ve done that, go ahead and log in to the Entra admin center. Go to Identity > Overview > Entra Connect, or type “Entra Connect” into the search box. Under “User sign-on”, you should see “Seamless single sign-on” listed as Enabled.
Adjust Local Intranet Zone
Next up, you’ll need to adjust your domain’s Group Policy to add the Entra SSO URL to the Local Intranet zone. This tells Internet Explorer, Edge, and Chrome that it’s OK to pass the user’s Kerberos ticket to Microsoft 365, since by default this is only allowed for websites that are internal to your network.
First, open Group Policy Management Editor as a user that has rights to edit your domain GPO. Then, create a new Group Policy that applies to the group of users who you would like to enable for SSO.
Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page, and then select Site to Zone Assignment List.
In the dialog box, enter the following:
- Value Name: https://autologon.microsoftazuread-sso.com
- Value (Data): 1
1 is the value that corresponds to the Intranet Zone in IE settings. Click OK twice, then browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone.
There, locate the setting Allow updates to status bar via script and enable it. Click OK a few times, then close out of Group Policy Management.
Test It Out
Log out and back in, or do a GPUpdate to refresh group policy. Then, open up Internet Explorer or Edge, and browse to https://myapps.microsoft.com/yourdomain.com, where yourdomain.com is your Microsoft 365 domain. At that point, you should be seamlessly signed in, and presented with a list of Microsoft 365 apps available to you.
If your users browse to https://myapps.microsoft.com/ with no domain, they’ll need to enter their username in the form username@yourdomain.com. This will redirect them to your domain sign-in page, at which point SSO will take over to log them in. And of course if they’re on a computer outside your domain, they can log in using their domain username and password too.
E-N Computers is a leading provider of cloud-based workflow solutions to businesses in Virginia, Washington, D.C., and Maryland. Our customized solutions will get your business up and running on Microsoft 365 quickly and easily. Contact us today to find out how we can help you use Microsoft 365 to meet the needs of your business.
Need Help Right Now with Microsoft 365 or Azure?
Book a free, no-obligation 15-minute cloud consultation session with our Director of Technology Thomas Kinsinger. He’s helped dozens of our clients leverage cloud technology to improve their business – and he’s ready to help you too. In-depth technical support is also available starting at just $125 per hour.
Click below to book your free 15-minute session now:
Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082