Skip to main content

Articles in this section

See more
Print

Automatic Hybrid Sign-in and Self-Service for Synced Azure AD users

  • Updated

Automatic Hybrid Sign-in and Self-Service for Synced Azure AD users

Self-service user and group management in Active Directory has been updated to support hybrid sign-in in Web Portal when Automatic sign-in (SSO) for Entra ID in Cayosoft Web Portal is used for a user but for the access check the Cayosoft Administrator Service uses both Azure AD and Active Directory permissions that are configured for this user. Learn more in: Role-based delegation.

Users who signed in to the Web Portal using the Automatic sign-in (SSO) for Entra ID in Cayosoft Web Portal can use both Active Directory and Microsoft 365 Self-Service web queries.

When a synced user signs in to the Web Portal with Automatic sign-in (SSO) for Entra ID in Cayosoft Web Portal the Cayosoft Administrator Service finds the corresponding user in Active Directory.

The matching user is determined by the msDS-ExternalDirectoryObjectID attribute in Active Directory and by the ObjectId attribute in Microsoft 365. If a corresponding Active Directory user is found, the Cayosoft Administrator Service adds permissions for this Active Directory user to effective access check. Such combined Active Directory and Microsoft 365 roles are called hybrid sign-in. It means if a user has permission to manage Active Directory objects and this user has the corresponding Microsoft 365 account, after signing in to the Web Portal using Azure AD authentication he will be able to manage Active Directory objects.

Also, the Microsoft 365 user can see Approval and Certification tasks created for his corresponding Active Directory user account, and objects in Self-Service web queries if he has access to these queries.

NOTE: Active Directory extension settings and Hybrid extension settings must also be enabled to get the configured Active Directory user roles.

If you added a forest to Managed Domains table and this forest doesn't have trust with the home forest where Administrator Service is installed you should use the Sign-in form for Azure Active Directory/Office 365 accounts authentication to manage objects from this forest in the Web Portal. Learn more in: Web Portal settings.

Here is a list of minimal permissions that the AD connection account should have on the OU where the logging-in AD user is located to perform the connect via hybrid sign-in:

  1. List content;

  2. Read permissions;

  3. Read properties: distinguishedName, objectGuid, objectSid, tokenGroups, tokenGroupsNoGCAcceptable.

Active Directory web queries

All Active Directory web queries and actions that are assigned to these web queries support the hybrid sign-in.

Self-Service web queries and actions that support hybrid sign-in

All Active Directory Self-Service web queries and actions that are assigned to these web queries support the hybrid sign-in.

Approval and Certification

After hybrid sign-in, Microsoft 365 users can see approval and certification tasks created both for their cloud and corresponding Active Directory accounts.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.