Choose and deploy seamless single sign-on

Single sign-on (SSO) is an authentication process for a single-entry access to access domain-joined devices, company resources, software as a service (SaaS) applications, and web applications. Administrators can centralize user account management, and automatically add or remove user access to applications based on group membership.

Business Case

Christina has a desktop at the office. While traveling, Christina signs into a Surface laptop, iPhone, Surface, Office 365 apps, Salesforce, and a handful of custom on-premises apps and databases. While on the road, Christina uses Spotify, WhatsApp, and Netflix. Many employees use the same password, even though they know it's not safe. How would you enable Christina to sign in once with one account to access domain-joined devices, company resources, and SaaS and web applications?

Plan an SSO deployment

Before you deploy SSO in your organization, you should:

  • Determine how end-users will access their SSO-enabled applications, provision SaaS cloud apps, and craft your communications to match your selection.

  • Determine whether authentication should take place in the cloud or on-premises. The authentication method is a critical component of an organization’s presence in the cloud because it controls access to all cloud data and resources.

Plan your SSO configuration. For example, you can:

  • Support applications that require multiple sign-in fields

  • Customize the labels of username and password fields

  • Allow a business group member to assign specified usernames and passwords to users

  • Plan role-based access

Explore how to configure single sign-on in Azure AD

View a video version of the interactive guide (captions available in more languages).

Single-sign On

Be sure to click the full-screen option in the video player. When you're done, use the Back arrow in your browser to come back to this page.

What is role-based access

Role-based access control (RBAC) is an authorization system that helps you manage who has access to which Azure resources, what they can do with those resources, and what areas they have access to. RBAC allows you to segregate duties within your organizations and grant only the amount of access to users that they need to perform their jobs. You control access to your resources using RBAC by creating role assignments that define a security principal (identity), role definition (a series of permissions), and scope (who, what, where).

Role definition and scope

A role definition is a collection of permissions that lists the operations that can be performed, such as read, write, and delete. Roles can be high-level, like owner, or specific, like virtual machine reader.

A scope is the defined list of resources the role has access to. This is helpful when you want to make someone a website contributor, but only for one resource group.

In the following example, the Marketing group has been assigned the Contributor role at the sales resource group scope.

Identity Lifecycle

Learn more