function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Daniel ChehrzadDaniel Chehrzad 

Azure AD Single Sign on

Hello,

We're planning to enable Azure AD single sign on for our domain, and before doing that I need to confirm some questions. Would you please help me with below questions?

1. How many different domains are supported for Salesforce SSO? 
2. If we enable SSO for our domain, will external domain users still be able to login using their external domain Email address? Can we create users from other domains for example test.com and they login without single sign on?
3.For SSO does it use the primary Email address or 365 login (UPN)? 
4. Will all the user profile settings\history remain there as long as 365 UPNs match the current users Email addresses in Salesforce? Technically our users won't lose anything, correct?
5.If a user Salesforce login doesn't match the Azure AD associated Email address, can we change the email first on Salesforce and then enable Single sign on? Will it keep all the history? 
6.Worst scenario if it doesn’t work, can we just remove the integration and user use their Broadvoice Email with their current salesforce password to login? 


Thanks in advance!
Raj VakatiRaj Vakati
See My comments 

1. How many different domains are supported for Salesforce SSO? 
      - There  is limited and its depends  on IDP vs SP 

2. If we enable SSO for our domain, will external domain users still be able to login using their external domain Email address? Can we create users from other domains for example test.com and they login without single sign on?
Yes .. Only way you can do it by Uncheck IS Single SIgn on user at profile level .. Or create a permission set and assign ... 

3.For SSO does it use the primary Email address or 365 login (UPN)?  

Its use Federation Id and it can be email or any uniquer ID 

4. Will all the user profile settings\history remain there as long as 365 UPNs match the current users Email addresses in Salesforce? Technically our users won't lose anything, correct?

Yes .. You can see Single Sign-on on user login history 

5.If a user Salesforce login doesn't match the Azure AD associated Email address, can we change the email first on Salesforce and then enable Single sign on? Will it keep all the history? 
Yes .. You can see Single Sign-on on user login history with failed reason .. and update it 

6.Worst scenario if it doesn’t work, can we just remove the integration and user use their Broadvoice Email with their current salesforce password to login? 

Remove IS Single SIgn on user at profile level so the user can log in with custom domain 
Daniel ChehrzadDaniel Chehrzad
Hi Raj,

Thanks for your reply. Please see my comments below: 

2. If we enable SSO for our domain, will external domain users still be able to login using their external domain Email address? Can we create users from other domains for example test.com and they login without single sign on?
Yes .. Only way you can do it by Uncheck IS Single SIgn on user at profile level .. Or create a permission set and assign ..
Daniel: I went to setup--. Manage users and the only SSO related field that I saw was "Federation ID" , should I look into that somewhere else? 

4. Will all the user profile settings\history remain there as long as 365 UPNs match the current users Email addresses in Salesforce? Technically our users won't lose anything, correct?

Yes .. You can see Single Sign-on on user login history 
Daniel: Actually by history I meant their settings, assigned tasks and cases, sales record, etc, not necessiraly only login history.. Just need to make sure after enabling single sign on it'll basically keep everything related tot he users, correct? 

5.If a user Salesforce login doesn't match the Azure AD associated Email address, can we change the email first on Salesforce and then enable Single sign on? Will it keep all the history? 
Yes .. You can see Single Sign-on on user login history with failed reason .. and update it 
Daniel: So technically I was trying to understand before enabling SSO for our domain, if we find any users that their salesforce email login doesn't match with their 365, what would be the best way to fix it?First we change user salesforce email to match with 365 and then enable for our domain? If we change the Email address, it keep all user profile related history, like their tasks, cases, completed sales, etc? 

6.Worst scenario if it doesn’t work, can we just remove the integration and user use their Broadvoice Email with their current salesforce password to login? 

Remove IS Single SIgn on user at profile level so the user can log in with custom domain 
Daniel: Unfortunately I was not able to find it under "User Profile". Should I find it somewhere else? 


Also as a new question, do you have an accurate step by step source I can follow to enable SSO for our domain? I found this article from Azure AD but some steps doesn't look accurate: 
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/salesforce-tutorial 

Thanks in advance!