Let’s talk about the second column of the Office 365 Login User Experience Matrix found below. Based on my anecdotal feedback from customers, I would say at this point Microsoft Azure Active Directory for Single Sign-On (“Azure AD for SSO”) is an Azure feature that is not very well-known yet, but just happens to be exactly what many customers actually want, especially if they’re utilizing many SaaS apps. Azure AD for SSO has gone by several names in its short lifetime including, “Azure AD Applications” and “Application Access Enhancements,” so keep that in mind as you conduct a search. The Azure AD for SSO federation SaaS application makes it possible to not only have single sign-on with Office 365, but as of this post, 2,476 other applications including popular apps such as box.net, Concur, Dropbox for Business, Google Apps, Salesforce.com and ServiceNow. Better yet, for some SaaS apps, adding a new user to AD DS and flagging them a security group or with an attribute can also automatically provision or de-provision an account in that SaaS. Here’s a full, up-to-date list of the SaaS apps Azure AD for SSO supports.
I’m a “picture is worth a thousand words” kind of person, so I created the following illustration to show what components are involved in an AD DS scenario:
As its name implies, Azure AD for SSO provides single sign-on with AD DS by leveraging the aforementioned AAD Sync and by having a password SSO plug-in browser extension installed on each of your user’s PCs. If you’re not comfortable installing the browser extension, your users can still have single sign-on but first must log into the Azure MyApps Portal with their AD DS User Principal Name and password. If you’re a small business without AD DS, your users will simply use their Azure AD accounts and passwords. The portal that launches the applications is (or can be) tailored for each user. As you can see in the following screenshot of my personal MyApps portal, I can automatically connect with our company’s business online travel provider, Egencia, but also our corporate Facebook account, as well as several of my own personal interest sites.
If your company has a social presence, Azure AD for SSO can be a huge asset by enabling you to give access to the users who are responsible for updating the company’s Facebook, Twitter, Instagram and other accounts while not having to give them the actual user ID and password for each of those sites. This prevents an employee who has left the company from still being able to post under those social accounts, because once you’ve deactivated their account in AD DS, they won’t have access to the MyApps portal either.
One of the great Azure AD for SSO bargains is each user has single sign-on with up to 10 applications for free! You can also kick the tires to see how the service will work in your organization before determining if you need to subscribe to the Azure Active Directory Basic or Premium editions. While the free edition of Azure AD might be “good enough” for some organizations, as you can see in the matrix below, there are some great reasons for purchasing the Basic or Premium subscriptions, including group-based application access management and provisioning, which is important to automate and prevent one-off management. It also includes self-service password reset to reduce calls to your helpdesk, the ability to write-back a password change in Azure AD to AD DS, Azure Multi-Factor Authentication for enhanced security, as well as Forefront Identity Manager client access licenses to really round out identity management in your organization.
Interested in learning more about single sign-on versus same sign-on? We’ll cover the remaining matrix column, Active Directory Federation Services, in blog post three later.