Na stronach Microsoft opisywane są różne metody, ale dla mnie najpewniejszą jest użycie skrypt PowerShell (jeżeli będziemy to robić masowo za pomocą GPO, to być może na stacjach będziemy musieli ustawić PowerShell Execution Policy lub skorzystać z metody z następnego posta):
Pass-through Authentication is an interesting alternative to the implementation of Active Directory Federation Services. Generally, it is based that Agents installed on premise servers downloads the authentication requests from the cloud, authenticates the user and returns this information to the cloud. Until today, I have not met with the disadvantages of this solution, and it is much simpler and faster in implementing my favorite ADFS service. An inconvenience may be the need to add the autologon.microsoftazuread-sso.com site to the Local Intranet zone.
There are various methods described on Microsoft’s pages, but for me the most reliable one is to use the PowerShell script (if we do it massively using GPO, maybe we will have to set the PowerShell Execution Policy – see next post):
#Functions from https://github.com/LanLorde/Scritps2/blob/57d714240dc0338da8c7123f33693e092905f53e/PowerShell/LessUsed/OneDriveMapper_v2.53.ps1 function addSiteToIEZoneThroughRegistry{ Param( [String]$siteUrl, [Int]$mode=2 #1=intranet, 2=trusted sites ) try{ $components = $siteUrl.Split(“.”) $count = $components.Count if($count -gt 3){ $old = $components $components = @() $subDomainString = “” for($i=0;$i -le $count-3;$i++){ if($i -lt $count-3){$subDomainString += “$($old[$i]).”}else{$subDomainString += “$($old[$i])”} } $components += $subDomainString $components += $old[$count-2] $components += $old[$count-1] } if($count -gt 2){ $res = New-Item “hkcu:softwaremicrosoftwindowscurrentversioninternet settingszonemapdomains$($components[1]).$($components[2])” -ErrorAction SilentlyContinue $res = New-Item “hkcu:softwaremicrosoftwindowscurrentversioninternet settingszonemapdomains$($components[1]).$($components[2])$($components[0])” -ErrorAction SilentlyContinue $res = New-ItemProperty “hkcu:softwaremicrosoftwindowscurrentversioninternet settingszonemapdomains$($components[1]).$($components[2])$($components[0])” -Name “https” -value $mode -ErrorAction Stop }else{ $res = New-Item “hkcu:softwaremicrosoftwindowscurrentversioninternet settingszonemapdomains$($components[0]).$($components[1])” -ErrorAction SilentlyContinue $res = New-ItemProperty “hkcu:softwaremicrosoftwindowscurrentversioninternet settingszonemapdomains$($components[0]).$($components[1])” -Name “https” -value $mode -ErrorAction Stop } }catch{ return -1 } return $True } function checkRegistryKeyValue{ Param( [String]$basePath, [String]$entryName ) try{$value = (Get-ItemProperty -Path “$($basePath)” -Name $entryName -ErrorAction Stop).$entryName return $value }catch{ return -1 } } #Main if((checkRegistryKeyValue -basePath “HKCU:SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmicrosoftazuread-sso.comautologon” -entryName “https”) -eq 1){ Write-Host “SSO – already exist” Exit} if((checkRegistryKeyValue -basePath “HKCU:SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmicrosoftazuread-sso.comautologon” -entryName “https”) -eq 2){ Write-Host “SSO – already in wrong place” Write-EventLog -LogName “Application” -Source “Office365” -EventID 666 -EntryType Information -Message “autologon.microsoftazuread-sso.com – exist in Trusted Zones” -Category 1 -RawData 10,20 Exit} if ((addSiteToIEZoneThroughRegistry -siteUrl “autologon.microsoftazuread-sso.com” -mode 1) -eq $True) {Write-Host “SSO – just enabled”}
