KnowledgeBase: You cannot manage the Desktop SSO feature with the Hybrid Identity Administrator role

Azure AD Connect

On March 19th, 2021, Microsoft introduced Azure AD Connect version 1.6.2.4 to incorporate the lessons learned and distribute the fixes Microsoft made to the larger public. As part of its version release history, Microsoft added the following line to the release notes for this version:

Azure AD Connect now supports the Hybrid Identity Administrator role for configuring the service.

Alas, this line applies to all but one implementation scenario.

 

The situation

You implement Azure AD Connect with the Enable seamless single sign-on option enabled, or you implement an additional Azure AD Connect installation towards an Azure AD tenant that has this option enabled.

On the Connect to Azure AD page of the the Microsoft Azure Active Directory Connect wizard, you specify an account that has the Hybrid Identity administrator role assigned, but not the Global administrator role.

The Enable seamless single sign-on option enables the Desktop Single Sign-on (DSSO) feature.

 

The issue

On the Enable single sign-on page of the Microsoft Azure Active Directory Connect wizard, you encounter an Cannot retrieve single sign-on status. error:

Error "Cannot retrieve single sign-on status." on the Enable single sign-on page of the Microsoft Azure Active Directory Connect wizard (click for original screenshot)

This error prevents you from continuing to configure Azure AD Connect.

In the Event viewer (eventvwr.exe) you additionally encounter an error:

Event ID 0 with source Azure AD Connect Authentication Agent (click for original screenshot)

The error with EventID 0 and source Azure AD Connect Authentication Agent provides the following information:

Connector registration failed: Make sure you are a Global Administrator of your Active Directory to register the Connector. Error: ‘“The registration request was denied. Details: User is unauthorized.”’

 

The cause

This error occurs because managing the Desktop SSO feature is not supported with the Hybrid Identity Administrator role.

 

The solution

The Desktop SSO feature can currently only be managed using an account with the Global Administrator role.

Press the Previous button in the Microsoft Azure Active Directory Connect wizard until you reach the Connect to Azure AD page again. Alternatively, you can click on the Connect to Azure AD node in the left navigation menu.

Enter the credentials of an account with the Global administrator role assigned on this page. Continue the wizard again, but this time with success.

 

Concluding

Following Microsoft’s recommended practices for using least privileged roles to accomplish administrative tasks proved troublesome yesterday.

In Azure Active Directory, Microsoft can fix things overnight. I’m sure this issue will be fixed in the coming months. In the meanwhile, please be advised to use an account with the Global administrator role assigned when managing Desktop SSO.

 

Safari HatHat Tip

My SCCT colleague Rob Bethbeder brought this issue to my attention.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.