Authorized Applications shall be configured for Single Sign-On

Description

If available, all authorized applications should be configured for single sign-on to extend authentication security to 3rd party applications.

Policy

  • Authorized applications shall be configured for single sign-on if available.

Licensing Considerations

To configure Enterprise applications for SSO, an Azure AD P1 license is required. This can be purchased standalone or is available as part of the following bundles:

  • Microsoft 365 Business Premium

  • EMS+ E3 or EMS + E5

  • Microsoft 365 E3

  • Microsoft 365 E5

Set Up Instructions

The configuration settings will be application specific but all applications will be configured in the Enterprise application section of Azure AD: Enable single sign-on for an enterprise application - Microsoft Entra | Microsoft Learn

Example SSO with Dropbox: Tutorial: Azure Active Directory integration with Dropbox Business - Microsoft Entra | Microsoft Learn

End-User Impact

Level: Medium

After applications are set up for single sign-on, users will be able to leverage their Azure Active Directory credentials to access the application. It is important to alert users before turning on SSO for an application so they are not caught off-guard from a redirection to Microsoft when trying to sign-in. Be careful with some applications as you can get locked out if settings are not configured properly.

Tips

Establish a communication plan prior to setting up SSO for an application.

Leverage Azure AD groups to grant and revoke access to applications.

Leverage SCIM provisioning if it is available from the application provider.

PowerShell Scripts

None Currently

Videos

Last updated