Single Sign-On to on-premises resources from Azure AD joined when Onprem
Azure AD Join was introduced in Windows 10 and allows a Windows 10 device to register with Azure Active Directory (Azure AD) and allows Azure AD users to sign-in to the device using their work credentials or more commonly know as their O365 credentials.
Users on these devices will enjoy Single Sign-On (SSO) to Office 365 or other SaaS applications.
The really cool part is that if this user is working within the corporate network the user can enjoy SSO to on-premises Integrated Windows Authentication based resources as well, provided the organization has enabled this functionality.
You will need a hybrid environment where Active Directory Domain Services has been extended to Azure AD.
So what do we need to do to enable this functionality?
- A Onpremise Active Directory running on at least Windows Server 2008 R2
- An Azure AD Subscription
- Windows 10 Devices
- Azure Active Directory Connect
Azure Active Directory Connect is used to synchronize users and devices between Azure AD and your onprem AD.
AAD Connect writes three new attributes on users in Azure AD which are then used by Windows logon to authenticate the user against a suitable domain controller on-premises.
- DNS domain name where the user resides in AD on-premises.
- NetBIOS domain name where the user resides in AD on-premises.
- SAM account name of the user.
For more deployment info; see official documentation here: Enabling your directory for hybrid management with Azure AD Connect.
So how do this work in technical terms:
Imagine that you are inside your company’s network on your AAD Joined device. You enter your password or your Passport credentials (Windows Hello/Pincode). That credential will go to Azure AD and Azure AD will return a token to Windows. This token is a very special token. It is a refresh token but it is a refresh token to multiple audiences. This token is used to access multiple resources and basicly it is used to access all resources from this device as long as this session is active. That is what is called an Primary Refresh Token (PRT). And additionally at the same time if this device can reach an onprem Active Directory Controller the device will also receive an Kerberos TGT or Ticket Granting Ticket and that is what is going to provide SSO to onprem resources. All this is happening at winlogon time.
The PRT will provide SSO to all AAD resources like SaaS Apps or Office 365 wether you have setup your enviroment with ADSF or are using sync with password hash to AAD. The TGT will provide SSO to onprem resources like by example web applications, fileservers and printers. The user will experience full SSO to all resources.
Users doing work from Azure AD joined devices that come to the on-premises network are now able to enjoy seamless access without being prompted for credentials when accessing a file server or when printing a document to an on-premises printer.
If your users on the other hand is outside your network they will still have SSO to all cloud applications but because you don’t have access to your onprem AD Controller you will not get the TGT and will not be able to access onprem resources unless you have published them through Azure Application Proxy or the Web Application Proxy services.