How to Configure Single Sign-On (SSO) with Microsoft Azure Active Directory?

Microsoft SSO is a user authentication process that helps you save a lot of time and effort by allowing you to operate multiple applications using a single account. You can sign out of all the accounts with just one click. 

This blog will discuss how to configure SSO Azure AD. Read till the end to not miss out on anything.

Prerequisites

Before you get started with the SSO Microsoft configuration process, you need to ensure the following:

• Setup Your Azure AD Connect Server

As a Pass-through Authentication user, you don’t need any prerequisite checks. But if you use password hash synchronization as a sign-in method, ensure that:

• You are using version 1.1.644.0 or later of Azure AD Connect.
• If your firewall or proxy permits, enlist the connections to the allowed list for *.msappproxy.net URLs over port 443. In case you need a specific URL instead of a wildcard for proxy configuration, you need to reset tenantid.registration.msappproxy.net, where tenant ID is the GUID of the tenant where you are configuring the feature. However, if this isn’t possible, you need to permit access to the Azure data center IP ranges. These are updated once every week. You need to ensure this prerequisite only if you have enabled the feature; actual users aren’t obligated to do this for sign-ins.

• Use a Supported Azure AD Connect Topology

Ensure that you are using one of Azure AD Connect’s supported topologies:

• On-premises Active Directory Forest
• On-premises Active Directory with filtered import
• Azure AD Connect sync server
• Azure AD Connect sync server “staging mode”
• GALSync with Forefront Identity Manager (FIM) 2010 or Microsoft Identity Manager (MIM) 2016
• Azure AD Connect sync server, detailed
• Azure AD
• Unsupported Scenario

• Set up Domain Administrator Credentials

Ensure the following domain administrator credentials for each Active Directory forest that:

• You synchronize to Azure AD through SSO Azure AD Connect.
• Contains users you want to enable for seamless SSO.

• Activate Modern Authentication

For the Microsoft 365 services, the default state of modern authentication is:

• Activated for Exchange Online by default. See Enable or disable modern authentication in Exchange Online to turn it off or on.
• Turned on for SharePoint Online by default.
• Turned on Skype for Business Online by default. See Enable Skype for Business Online for modern authentication to turn it off or on.

• Use the Latest Versions of Microsoft 365 Clients

Set it to auto-update to get a smooth single sign-on experience with Microsoft 365 clients.

How to Enable Single Sign-On or SSO?

Here’s what you should do to enable Microsoft SSO.

1. Visit the Azure Active Directory Admin Center and sign in with one of the roles listed in the prerequisites.
2. Choose Enterprise Application > All Application. You’ll come across a list of applications in your Azure AD tenant. Select the one you want to use.
3. Go to the Manage section > Single sign-on. 
4. Open the SSO pane for editing.
5. Select SAML to open the SSO configuration page. Once the configuration is done, you can sign in to the application using a username and password from the Azure AD tenant. 
6. The steps in the Microsoft SSO configuration vary from application to application. You can use the configuration guide to configure enterprise applications in the gallery.
7. In the Set up Azure AD SAML Toolkit 1 section, record the values of the Login URL, Azure AD Identifier, and Logout URL properties to be used later.

How to Configure Single Sign-On in the Tenant?

To begin to configure SSO with Azure AD, you have to sign in and add reply URL values, followed by downloading a certificate. Here are the next steps:

1. Go to the Azure portal, and choose Edit in the Basic SAML configuration on the Set up single sign-on pane.
2. For the Reply URL (Assertion Consumer Service URL), enter .
3. For Sign-on URL, enter https://samltoolkit.azurewebsites.net/.
4. Select Save.
5. In the SAML Certificates section, select Download for Certificate (Raw) to download the SAML signing certificate and save it for future use.

How to Configure Single Sign-On in the Application?

You must register your user account with the application and add previously registered SAML configuration values.

Here’s how you can register the user account.

1. In a new browser window, go to the sign-in URL of the application.
2. Choose Register in the upper right corner of the page.
3. Add the email address of the user accessing the application. The user must be already assigned to the application.
4. Enter your password for confirmation.
5. Click on Register.

How to Configure SAML Settings?

For this, you must use previously registered values for SP Initiated Login URL and Assertion Consumer Service (ACS) URL.

Follow these steps to update SSO values.

1. Go to the Azure portal, and select Edit in the Basic SAML Configuration section on the Set up single sign-on pane.
2. For the Reply URL (Assertion Consumer Service URL), enter the Assertion Consumer Service (ACS) URL value you previously recorded.
3. For Sign-on URL, enter the SP Initiated Login URL value registered previously.
4. Click on Save.

Test Single Sign-On

Once you are done configuring Microsoft SSO, test it by following these steps.

1. In the Test single sign-on with Azure AD SAML Toolkit 1 section, select Test on the Set up single sign-on with SAML pane.
2. Sign in to the application using the Azure AD credentials of the user account you assigned.

Related Articles

1. What is DMARC SSO?
2. SAML / SSO feature user guide
3. DMARC office 365 Guide

• About
• Latest Posts

Yunes Tarada

Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.

Latest posts by Yunes Tarada (see all)

• SPF Softfail Vs Hardfail: What’s the Difference? - April 26, 2024
• FTC Reports Email is a Popular Medium for Impersonation Scams - April 16, 2024
• SubdoMailing and the Rise of Subdomain Phishing - March 18, 2024