Authorized Applications shall be configured for Single Sign-On
Description
If available, all authorized applications should be configured for single sign-on to extend authentication security to 3rd party applications.
Policy
Authorized applications shall be configured for single sign-on if available.
Licensing Considerations
To configure Enterprise applications for SSO, an Azure AD P1 license is required. This can be purchased standalone or is available as part of the following bundles:
Microsoft 365 Business Premium
EMS+ E3 or EMS + E5
Microsoft 365 E3
Microsoft 365 E5
Set Up Instructions
The configuration settings will be application specific but all applications will be configured in the Enterprise application section of Azure AD: Enable single sign-on for an enterprise application - Microsoft Entra | Microsoft Learn
Example SSO with Dropbox: Tutorial: Azure Active Directory integration with Dropbox Business - Microsoft Entra | Microsoft Learn
End-User Impact
Level: Medium
After applications are set up for single sign-on, users will be able to leverage their Azure Active Directory credentials to access the application. It is important to alert users before turning on SSO for an application so they are not caught off-guard from a redirection to Microsoft when trying to sign-in. Be careful with some applications as you can get locked out if settings are not configured properly.
Tips
Establish a communication plan prior to setting up SSO for an application.
Leverage Azure AD groups to grant and revoke access to applications.
Leverage SCIM provisioning if it is available from the application provider.
PowerShell Scripts
None Currently
Videos
Last updated