Abstract: A computer implemented method includes granting a tenant administrator client machine access to a cloud hosted tenant service joined to a directory service. A bulk token for the tenant is obtained in response to a request received from the tenant administrator client machine. An identifier of an authorized tenant client to the cloud hosted tenant service is received and results in the provisioning of a tenant client virtual machine in a cloud service for the authorized tenant client in accordance with a specified provisioning package associated with the bulk token. The tenant client virtual machine is then joined to the directory service. On receipt of an authorized client token at the cloud hosted tenant service from a tenant client machine, the tenant client machine is provided a connection to the tenant client virtual machine.

Abstract: The techniques disclosed herein provide an enhanced single sign-on flow for secure computing resources, such as a virtual machine or hosted applications. In some configurations, the techniques process different types of security data, e.g., credentials, tokens, certificates, and reference objects at specific computing entities of a system to provide a single sign-on flow for providing access to secure computing resources from a client computing device. In one illustrative example, a select type of security data, such as a certificate, is generated from a token and a claim at a particular computing resource, such as an agent operating on a virtual machine. In another example, a signed version of the certificate can be stored and verified at the virtual machine. By generating certificates at such particular computing resources, the computing resource can verify a person's credentials using a secure single sign-on flow without requiring the person to provide credentials multiple times.