- Article
Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) automatically signs users in when they're using a corporate desktop that's connected to the corporate network. Seamless SSO gives your users easy access to cloud-based applications without having to use additional on-premises components.
To provide seamless SSO to Azure AD using Azure AD Connect, follow the steps outlined in the following sections.
Check the prerequisites
Make sure the following prerequisites are met:
Set up the Azure AD Connect server: If you usePass-through authenticationAs a sign-up method, no further prerequisite checks are required. if you usePassword Hash SyncAs a sign-in method, ensure that there is a firewall between Azure AD Connect and Azure AD:
Use Azure AD Connect version 1.1.644.0 or later.
If your firewall or proxy allows it, add the connection to your allow list
*.msappproxy.netURL on port 443. If you need a specific URL instead of a wildcard for the proxy configuration, you can configure itmieterid.registration.msappproxy.net, WoRenteris the GUID of the tenant for which you are configuring the function. If URL-based proxy exceptions aren't possible in your organization, you can allow access insteadAzure data center IP ranges, updated weekly. This requirement applies only if you enable the Seamless SSO feature. It is not required for direct user login.Remarks
- Azure AD Connect versions 1.1.557.0, 1.1.558.0, 1.1.561.0 and 1.1.614.0 have issues related to password hash synchronization. if youNOIntending to use password hash sync with pass-through authentication, check this outAzure AD Connect release notesLearn more.
- If you have an outbound HTTP proxy, make sure the URL is specified
autologon.microsoftazuread-sso.comon your allow list. You should specify this URL explicitly, as wildcards may not be accepted.
Use supported Azure AD Connect topologies: Make sure you are using one of the Azure AD Connect servicesSupported topologies.
Remarks
Seamless SSO supports multiple on-premises Windows Server Active Directory (Windows Server AD) forests, regardless of whether a Windows Server AD trust exists between them.
Set the domain administrator credentials: You must have domain administrator credentials for each Windows Server AD forest:
- Sync to Azure AD via Azure AD Connect.
- Contains the users for whom you want to enable Seamless SSO.
Enable modern authentication: To be able to use this function, you must activate themodern authenticationon your tenant.
Use the latest version of the Microsoft 365 client: To get silent sign-in to Microsoft 365 clients like Outlook, Word, or Excel, your users must be using version 16.0.8730.xxxx or later.
Activate function
Enable seamless SSO throughAzure AD Connect.
Remarks
If Azure AD Connect doesn't meet your needs, you canEnable seamless SSO with PowerShell.Use this option if you have multiple domains in each Windows Server AD forest and you want to set the target domain to enable seamless SSO.
If you aFresh installation of Azure AD Connect, chooseCustom installation path.existUser Loginside, chooseEnable single sign-onoptions.
Remarks
Only if the selected login method isPassword Hash SyncorTransparent authentication.
if youAzure AD Connect is already installed, existAdditional tasks, chooseChange user login, then selectNext.If you are using Azure AD Connect version 1.1.880.0 or higher thenEnable single sign-onThe option is selected by default. If you are using an earlier version of Azure AD Connect, selectEnable single sign-onoptions.
Continue through the guide to get thereEnable single sign-onbook page. Provide domain administrator credentials for each Windows Server AD forest:
- Sync to Azure AD via Azure AD Connect.
- Contains the users for whom you want to enable Seamless SSO.
After completing the wizard, Seamless SSO will be activated on your tenant.
Remarks
Domain admin credentials are not stored in Azure AD Connect or Azure AD. They are only used to enable this functionality.
To verify that Seamless SSO is enabled correctly:
- RegistrationAzure-PortalUse your tenant's hybrid admin account credentials.
- Select in the left menuAzure Active Directory.
- chooseAzure AD Connect.
- to verifyNahtloses Single-Sign-Onis set tomake possible.
important
Seamless SSO creates a file namedAZURADSSOACCIn each Windows Server AD forest in the local Windows Server AD directory. TheAZURADSSOACCFor security reasons, computer accounts must be strictly protected. Only domain administrator accounts should be allowed to administer computer accounts. Ensure that Kerberos delegation is disabled for the computer account and that no other accounts in Windows Server AD have delegation permissionsAZURADSSOACCcomputer account. Store computer accounts in an organizational unit so that they cannot be accidentally deleted and only domain administrators can access them.
Remarks
If you are using the Pass-the-Hash and Credential Theft Mitigation architecture in your on-premises environment, make the appropriate changes to ensure thisAZURADSSOACCComputer accounts don't end up in isolated containers.
rollout feature
You can use the instructions in the next section to gradually provide your users with seamless SSO. First, add the following Azure AD URL to all or selected user's intranet zone settings via Group Policy in Windows Server AD:
https://autologon.microsoftazuread-sso.com
You need to enable that tooAllow script to update status barAbout Group Policy.
Remarks
The instructions below only apply to Internet Explorer, Microsoft Edge and Google Chrome on Windows (if Google Chrome shares a set of trusted site URLs with Internet Explorer). Learn how to set it upFirefox-BrowserAndGoogle Chrome on macOS.
Why do you need to change user intranet area settings?
By default, browsers automatically calculate the correct zone for a given URL, whether it's an internet or an intranet. For example,http://contoso/card tooIntranetdistrict, andhttp://intranet.contoso.com/card toothe InternetZone (since the URL contains periods). Browsers do not send Kerberos tickets to cloud endpoints such as B. Azure AD URLs, unless you explicitly add the URL to the browser's intranet zone.
You can change user intranet locales in two ways:
| options | Administrator Considerations | user experience |
|---|---|---|
| Group Policy | The administrator blocks editing of the intranet zone settings | Users cannot change their own settings |
| Group Policy Settings | The administrator allows editing the intranet zone settings | Users can change their own settings |
Detailed Group Policy steps
Open the Group Policy Management Editor tool.
Edit the group policy that applies to some or all users. This example usesDefault domain policy.
gouser configuration>Politics>Administrative templates>Widget>Internet Explorer>Internet control panel>security page.chooseList of site-to-zone assignments.
Activate the policy and enter the following values in the dialog:
value name: The Azure AD URL to forward the Kerberos ticket to.
Wert(Data):1Specifies the intranet area.
The result is similar to this example:
value name:
https://autologon.microsoftazuread-sso.comValue (data): 1
Remarks
If you want to prevent certain users from using seamless SSO (e.g. when those users log in to a shared kiosk), set the previous value to4.This action adds the Azure AD URL to the restricted zone and seamless SSO for the user always fails.
chooseOK, then selectOKonce again.
gouser configuration>Politics>Administrative templates>Widget>Internet Explorer>Internet control panel>security page>intranet area.chooseAllow script to update status bar.
Enable the policy setting and selectOK.
Detailed steps on Group Policy settings
Open the Group Policy Management Editor tool.
Edit the group policy that applies to some or all users. This example usesDefault domain policy.
gouser configuration>priority>Windows settings>registration form>neu>registration key.
Enter or select the following values as shown, then selectOK.
Critical path:软件\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoftazuread-sso.com\autologon
value name: https
value type: REG_DWORD
reading: 00000001
Browser considerations
The next sections provide information about Seamless SSO specific to different browser types.
Mozilla Firefox (all platforms)
If you useto verifyFor the policy setting in your environment, make sure to add the Azure AD URL (https://autologon.microsoftazuread-sso.com) arriveSPNEGOPart. You can also adjustPrivate BrowsingPossibilityrealEnable seamless SSO in private browsing mode.
Safari (macOS)
Make sure the computer running macOS is connected to Windows Server AD.
Instructions for connecting macOS devices to Windows Server AD are outside the scope of this article.
Chromium-based Microsoft Edge (all platforms)
if you have coveredAuthNegotiateDelegateAllowlistorAuthorization Server WhitelistMake sure to also add the Azure AD URL to the policy setting in your environment (https://autologon.microsoftazuread-sso.com) to these policy settings.
Chromium-based Microsoft Edge (macOS and other non-Windows platforms)
For Chromium-based Microsoft Edge on macOS and other non-Windows platforms, seeMicrosoft Edge based Chromium policy listLearn how to add the Azure AD URL used for integrated authentication to the allow list.
Google Chrome (all platforms)
if you have coveredAuthNegotiateDelegateAllowlistorAuthorization Server WhitelistMake sure to also add the Azure AD URL to the policy setting in your environment (https://autologon.microsoftazuread-sso.com) to these policy settings.
Apple-System
Using a third-party Active Directory group policy extension to push Azure AD URLs to Firefox and Google Chrome for macOS users is beyond the scope of this article.
Known Browser Limitations
Seamless SSO does not work in Internet Explorer when the browser is running in Enhanced Protected Mode. Seamless SSO supports the next Chromium-based version of Microsoft Edge and works in both InPrivate and Guest modes by default. Microsoft Edge (Legacy) is no longer supported.
You may need to configureAmbientAuthenticationInPrivateModesEnabledFor InPrivate or Guest users based on appropriate documentation:
- Microsoft Edge Chrome
- Google Chrome
Test seamless SSO
To test the feature for a specific user, ensure that all of the following conditions are true:
- A user logs in to a corporate device.
- The device is joined to your Windows Server AD domain. DeviceNOneedJoin Azure AD.
- The device connects directly to your domain controller through a wired or wireless corporate network, or through a remote access connection such as a VPN connection.
- You haverollout featureSent to this user via Group Policy.
To test a scenario where the user enters a username instead of a password:
- login inhttps://myapps.microsoft.com.Be sure to clear your browser cache or use a fresh private browsing session with a supported browser in private mode.
To test a scenario where the user is not required to enter a username or password, do one of the following:
- login in
https://myapps.microsoft.com/contoso.onmicrosoft.com.Be sure to clear your browser cache or use a fresh private browsing session with a supported browser in private mode. substitutecontosowith your tenant name. - login in
https://myapps.microsoft.com/contoso.comIn a new private browsing session. substitutecontoso.comUse a verified domain (not a federated domain) for your tenant.
Folding key
existActivate functionAzure AD Connect creates computer accounts (on behalf of Azure AD) in all Windows Server AD forests that have Seamless SSO enabled. For more information, seeSeamless single sign-on for Azure Active Directory: A deep dive into the technology.
important
A compromised Kerberos decryption key on a computer account could be used to generate Kerberos tickets for each user in its Windows Server AD forest. Malicious actors can then spoof an Azure AD login for the infected user. We strongly recommend that you update these Kerberos decryption keys regularly, or at least every 30 days.
For key rollover instructions, seeSeamless single sign-on with Azure Active Directory: Frequently Asked Questions.
important
You don't have to do this stepImmediatelyAfter you enable this feature. Renew the Kerberos decryption key at least every 30 days.
Next Step
- Technical depth: Learn how the seamless single sign-on feature works.
- frequently asked Questions: Get answers to frequently asked questions about seamless single sign-on.
- Troubleshooting: Learn how to troubleshoot common issues with the Seamless Single Sign-On feature.
- user voice: Submit new feature requests through the Azure Active Directory forum.