Azure AD SSO and Disabled Computer Accounts

Posted on Posted in Authentication, Azure Active Directory, Azure AD, Office, Office 365, SSO

When you set up Azure AD SSO, the Azure AD Connect application creates a computer account called AZUREADSSOACC. Do not disable this account, or SSO stops working.

I’ve had a few clients in the past week disable this when generally disabling all the computer accounts that have not logged in for X days.

Therefore if you have Azure AD SSO enabled, I suggest updating your documentation on disabling computer accounts – ‘cause not all computer accounts actually login as computers (I’m thinking Cluster services here as well) and consider actually whether or not disabling accounts for computers that are not logging in any more is necessary.

Then also take the AZUREADSSOACC account and set a description on it saying do not disable!

image

5 thoughts on “Azure AD SSO and Disabled Computer Accounts

  1. Azure AD SSO is in preview and only for password sync or passthrough auth. What is Your opinion about Azure AD SSO (& passthrough auth) vs. ADFS?

      1. Thanks Brian, i read that only modern authentication is supported, thus office and edge. Do you know if IE, Chrome etc support modern auth? And is there a list or baseline which apps support this SSO?

        1. All browsers do modern auth, as “modern auth” is a browser based control. All apps (mobile) apart from ActiveSync do modern auth. Only Office 2016 and later does modern auth for the Office suite. Office 2013 requires a update and registry keys to enable it.

          1. Thank you very much for your information. Sounds like PTA and SSO are a better choice mainstream. When using azure ad we then can federate our saas apps with azure ad saml so no need for adfs there also!

Leave a Reply

Your email address will not be published. Required fields are marked *