Azure AD Seamless Single Sign-On

Azure AD Seamless Single Sign-On (Azure AD Seamless SSO) is a free-to-use feature of Azure AD that can provide a single set of credentials for a user to authenticate applications within Azure AD while trying to connect to the organization's network. This essentially means that once connected to your network on the user's device (Windows, Mac, etc.), they will not be asked for their credentials when opening any Azure AD application. The principles of Seamless Single Sign-On
 

 
Seamless SSO is configured using the Azure AD Connect wizard and can be used in conjunction with password hash synchronization and pass-through authentication. Seamless SSO is not compatible with federations like AD FS or PingFederate.
 
A couple of prerequisites to be aware of when planning to implement Seamless SSO:

• If you decide to use AD Connect with Password Hash Synchronization, ensure you are using the latest version of AD Connect.
• Ensure your firewall is set to allow connections to * .msapproxy.net URLs over port 443. Allow access to Azure datacenter IP ranges.
• Review the following topologies that are supported.
  • https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies
• Ensure users are using the O365 desktop client with a minimum of 16.0.8730.xxxx or above.
• Make sure Modern Authentication is enabled in your tenant.

 
After the Azure AD Connect Wizard is installed, we recommend you "Pin to taskbar" the wizard to better access the application when you need to run it again.
 

 
Once you have verified the above prerequisites, you can go ahead and enable the feature. You will be using the Azure AD Connect Wizard and performing a customer installation The image below shows the User sign-in configuration in Azure AD Connect. You can select Password Hash Synchronization or Pass-through authentication and enable single sign-on.
 
 

 
If you need to enable some features after you have already deployed Azure AD Connect, you can re-run the setup wizard and select Change user sign-in under Additional tasks to make the changes. 

 
To confirm that the setup of Seamless SSO was completed successfully, log in as a Global Administrator to https://portal.azure.com and navigate to: Azure Active Directory > then Azure AD Connect. From this page, you can verify that Seamless SSO is enabled.
 

 
When you have completed your custom settings installation of Azure AD Connect, you are taken to a page with several additional optional features as shown below. The most commonly used features are Password writeback and Exchange hybrid deployment. Further information on all Optional features can be viewed here.

To deploy these features to your users, follow these steps to configure your GPO: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-sso-quick-start#roll-out-the-feature

• Deploy the following URL to the user's Intranet Zone by using Group policy: https://autologon.microsoftazuread-sso.com 
• Enable "Allow updates to status bar via script" for the Intranet Zone.

Recommend restarting the workstation(s) and waiting 24 hours for the changes to take effect.