How to set up SSO in Microsoft Entra ID

What is Microsoft Entra SSO?

Microsoft Entra ID's SSO feature, called Microsoft Entra SSO, provides a streamlined experience for users, enabling them to access cloud, on-premises, and SaaS applications after logging in securely to Microsoft 365 or Azure platforms. It enables users to authenticate once and use that as a token to access other applications. This approach not only enhances the user experience by minimizing sign-in prompts but also boosts security by reducing password fatigue and the risk of credential reuse. With Microsoft Entra SSO, organizations can ensure that access rights are efficiently maintained based on roles or group memberships.

What do you need to set up Microsoft Entra SSO?

To set up Microsoft Entra SSO, you need:

• An appropriate user role: A user account with at least the Cloud Application Administrator role assigned to it is required to register applications and configure SSO in Microsoft Entra ID. The Application Administrator and Privileged Administrator roles can also be used for this purpose.
• Supported applications: Apps that support authentication protocols such as OpenID Connect and SAML as well as services like Active Directory Federation Services (ADFS) can be registered in Microsoft Entra ID, following which SSO can be set up for these applications.
• Browser extension: For some configurations, the My Apps Secure Sign-in extension may be required.

How does Microsoft Entra SSO work?

Microsoft Entra SSO operates using authentication protocols such as SAML and OpenID Connect. When a user logs in through the Microsoft Entra ID portal, their credentials are verified against the identity provider using the authentication protocol. Upon successful authentication, a token is generated that grants access to various applications assigned to them without requiring additional logins.

What are the protocols and types supported by Microsoft Entra SSO?

There are two main protocols supported by Microsoft Entra SSO for signing in to applications registered in Microsoft Entra ID. These include:

• SAML-based SSO
• OpenID-Connect-based SSO

SAML-based SSO

SAML based SSO is a widely adopted standard for exchanging authentication and authorization data between identity providers and service providers. This protocol is particularly suitable for enterprise environments where federated identity management is essential, enabling seamless access across various cloud services and enterprise applications.

OpenID-Connect-based SSO

OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol, allowing clients to verify end-user identities based on authentication performed by an authorization server. This method is suitable for modern web and mobile applications, providing a streamlined user experience while supporting secure authentication and user profile retrieval. OpenID Connect enhances flexibility in integrating with various applications while maintaining robust security measures.

Apart from the usual protocol-based SSO, there are three other types of SSO that you can configure for your applications. They are:

• Link-based SSO
• Password-based SSO
• One-click SSO

Linked-based SSO

Linked-based SSO enables Microsoft Entra ID to provide SSO to applications already configured for SSO in another directory or service. This option allows administrators to specify the target location when a user selects the application from My Apps or the Microsoft 365 portal. While linked SSO does not provide actual sign-on functionality through Microsoft Entra ID, it is valuable for scenarios such as adding links to custom web applications that use federation (e.g., ADFS) or for apps that do not require authentication.

Password-based SSO

Password-based SSO allows users to sign in to an application using their username and password during initial login. After this first sign-on, Microsoft Entra ID securely stores these credentials and automatically enters them for subsequent logins as long as the user stays signed in to Microsoft Entra ID. This method leverages the existing authentication process of the application and is suitable for any cloud-based application with an HTML-based sign-in page. Administrators can manage user credentials without requiring users to remember their passwords, making it ideal for applications that do not support modern SSO protocols like SAML and OIDC.

One-click SSO

One-click SSO can be set as an SSO method for Azure Marketplace applications that support the SAML protocol. By selecting this option on the Microsoft Entra SSO configuration page, administrators can automatically configure the necessary metadata on the application side, significantly reducing manual setup efforts. This method is particularly beneficial for organizations looking to quickly implement SSO with minimal technical overhead, as it eliminates the need for partner communication or support during setup.

How do you configure Microsoft Entra SSO?

Setting up SSO for Microsoft Entra ID applications differs for each type of SSO method. However, there are common elements to these steps that you can keep in mind while setting it up. These include:

Registering an application in Microsoft Entra ID: You can add the application you wish to integrate with Microsoft Entra SSO by registering it under the Enterprise Application menu in the Microsoft Entra admin center.

Deciding on the appropriate SSO method: Choose between various SSO methods, such as SAML or OpenID Connect, depending on the application's compatibility and your organization's requirements. Each method has its own setup process and configuration details that need to be followed.

Acquiring necessary app details: Gather essential information for configuration, including the application's sign-in URL, entity ID, and required certificates. This information is crucial for establishing a secure connection between Microsoft Entra ID and the application, ensuring seamless authentication for users.

Enhancing your Microsoft Entra ID administration with M365 Manager Plus

ManageEngine M365 Manager Plus is a comprehensive administration and security solution for Microsoft 365 used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments. You can easily manage users, groups, contacts, mailboxes, teams, and sites in bulk and automate these processes, all without any PowerShell scripting.

There are also other benefits to using M365 Manager Plus to manage and monitor your Microsoft 365 environment.

• Gain a thorough understanding of not just your Microsoft Entra ID environment but also Exchange Online, SharePoint Online, OneDrive for Business, and other Microsoft 365 services with detailed reports and intuitive visualizations.
• Filter your reports just once and save them as custom reports that you can access in just a few clicks.
• Export reports generated in M365 Manager Plus in not just CSV but also other presentable formats, such as HTML, PDF, and XLSX.
• Delegate granular permissions to technicians without elevating their Microsoft 365 privileges, and create custom roles with any combination of reporting, management, and auditing tasks.
• Easily manage users, groups, contacts, mailboxes, teams, and sites in bulk without PowerShell scripting.
• Keep tabs on even the most granular user activities in your Microsoft Entra ID and Microsoft 365 environments.
• Configure alert profiles in M365 Manager Plus to notify you of specific activities that take place outside of business hours or occur at unusual frequencies.
• Monitor the health and performance of Microsoft 365 features and endpoints around the clock.