question

RST-1727 avatar image
0 Votes"
RST-1727 asked sikumars answered

SSO with OnPrem Apps on Azure AD Joined devices

Hi All,

As i could understand, when I add laptop as Azure AD joined, SSO works fine for my Hybrid users (PHS enabled) when accessing all Azure resources using PRT/AT token; the following article also says hybrid users gets SSO experiences on AAD joined devices when accessing Applications integrated with OnPrem AD.

https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso

However what would be the hybrid user experience when accessing Applications which are integrated with ADFS or 3rd party Federation provider using SAML federation trust?

Does user need to punch in user name + password or any chance to consume the token provided by Azure AD or Kerb token provided by OnPrem AD

Thank you!

azure-ad-authentication
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @RST-1727,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks, Siva Kumar Selvaraj

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered

Hello @RST-1727,

Just checking if you have any follow-up question? If above answer helped your query, please don’t forget to click Accept the answer and Up-Vote . Thanks.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered sikumars edited

Hi @RST-1727,

Thanks for reaching out.


From AAD join device aspect, ADFS or 3rd party federation servers are considered as an application so when those servers are configured for Windows-Integrated authentication then users seamlessly get SSO when tries accessing application from AAD joined device.

For an example: Lets say, ADFS have configured with Windows Integrated Authentication (WIA) and when user try to access ADFS integrated app through "Azure AD join device" then they seamlessly get SSO as ADFS expect Kerberos token and then the device:


-Sends the on-premises domain information and user credentials to the located DC to get the user authenticated.
Receives a Kerberos Ticket-Granting Ticket (TGT) or NTLM token based on the protocol the on-premises resource or application supports. If the attempt to get the

-Kerberos TGT or NTLM token for the domain fails (related DCLocator timeout can cause a delay), Credential Manager entries are attempted, or the user may receive an authentication popup requesting credentials for the target resource.

Note: On-premises SSO requires line-of-sight communication with your on-premises AD DS domain controllers. If Azure AD joined devices are not connected to your organization's network, a VPN or other network infrastructure is required.

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RST-1727 avatar image
0 Votes"
RST-1727 answered

Hi Team

Appreciate any help

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.