Brian Reid – Microsoft 365 Subject Matter Expert

Azure AD SSO and Disabled Computer Accounts

When you set up Azure AD SSO, the Azure AD Connect application creates a computer account called AZUREADSSOACC. Do not disable this account, or SSO stops working.

I’ve had a few clients in the past week disable this when generally disabling all the computer accounts that have not logged in for X days.

Therefore if you have Azure AD SSO enabled, I suggest updating your documentation on disabling computer accounts – ‘cause not all computer accounts actually login as computers (I’m thinking Cluster services here as well) and consider actually whether or not disabling accounts for computers that are not logging in any more is necessary.

Then also take the AZUREADSSOACC account and set a description on it saying do not disable!

image

Posted

in

, , , , ,

by

Brian Reid

Tags:

Comments

5 responses to “Azure AD SSO and Disabled Computer Accounts”

  1. Filip avatar
    Filip

    Azure AD SSO is in preview and only for password sync or passthrough auth. What is Your opinion about Azure AD SSO (& passthrough auth) vs. ADFS?

    Reply
    1. Brian Reid avatar
      Brian Reid

      Its now in GA as off Ignite the other week. I would opt for SSO over ADFS unless you still had or need to block legacy auth applications.

      Reply
      1. Filip avatar
        Filip

        Thanks Brian, i read that only modern authentication is supported, thus office and edge. Do you know if IE, Chrome etc support modern auth? And is there a list or baseline which apps support this SSO?

        Reply
        1. Brian Reid avatar
          Brian Reid

          All browsers do modern auth, as “modern auth” is a browser based control. All apps (mobile) apart from ActiveSync do modern auth. Only Office 2016 and later does modern auth for the Office suite. Office 2013 requires a update and registry keys to enable it.

          Reply
          1. Filip avatar
            Filip

            Thank you very much for your information. Sounds like PTA and SSO are a better choice mainstream. When using azure ad we then can federate our saas apps with azure ad saml so no need for adfs there also!

Leave a Reply to Brian Reid Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.