In this article, I will show you how to setup password based Sign-on SSO with Azure Active Directory for applications that don’t support SAML based authentication.
Xero, for example, doesn’t support SAML based authentication, however, I still want to centralize all the login to Azure AD and keep all the password so I case one of the users leaves the business all I need to do is disable their Azure AD account and they will lose access to Xero automatically.
I also set up an Email Rule in Exchange Online to forward all email for Xero password reset and setup to a special mailbox so users won’t be able to reset the password using email.
To get started, I will log in to the Azure Portal -> Azure Active Directory -> All applications
I will add a new application
In this example, I will use Xero, but I can use any application
From the Single Sign-on menu I will select Password based Sign-on and type the login URL
Add And Configure Users
Next, I will add the users that have access to Zero ( I reset their password before using Forget my password and used my email rule to receive the reset password email).
I will add the user from the list
In this part which is very important, I will select Yes to assign username and password and will fill in the details.
Login to Application form Azure AD
For the users to log in all they have to do is go to Azure AD my apps or Office 365 app launcher and select the app from the list.
In cases where SAML based authentication is not available or requires an upgrade to a more expansive plan, Password-based sign-in is recommended.
Using this option you avoid cases where employees that left the business still have access to important data.
About Azure AD
Azure Active Directory also is known as Azure AD is Microsoft’s multi-tenant, cloud-based directory, and identity management service, It also combines core directory services, application access management, and identity protection into a single solution.
One response to “How To Configure Password Based Sign-on with Azure AD”
I really like what you are doing here. What was the email rule you setup to receive the password reset requests? What type of mailbox did you setup?