Professional Documents
Culture Documents
Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in
when they are on their corporate devices connected to your corporate network. When enabled,
users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their
usernames. This feature provides your users easy access to your cloud-based applications without
needing any additional on-premises components.
Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through
Authentication sign-in methods. Seamless SSO is not applicable to Active Directory Federation
Services (ADFS).
Key benefits
Open AAD Connect sync tool to customize synchronization setting and select Enabled single sign on.
Click next and finish.
Seamless SSO creates a computer account named AZUREADSSOACC in your on-premises Active
Directory (AD) in each AD forest. The AZUREADSSOACC computer account needs to be strongly
protected for security reasons. Only Domain Admins should be able to manage the computer
account. Ensure that Kerberos delegation on the computer account is disabled, and that no other
account in Active Directory has delegation permissions on the AZUREADSSOACC computer account.
Store the computer account in an Organization Unit (OU) where they are safe from accidental
deletions and where only Domain Admins have access.
You can gradually roll out Seamless SSO to your users using the instructions provided below. You
start by adding the following Azure AD URLs to all or selected users' Intranet zone settings by using
Group Policy in Active Directory:
https://aadg.windows.net.nsatc.net
https://autologon.microsoftazuread-sso.com
In addition, you need to enable an Intranet zone policy setting called Allow updates to status
bar via script through Group Policy
Note: - The following instructions work only for Internet Explorer and Google Chrome on Windows
(if it shares a set of trusted site URLs with Internet Explorer).
By default, the browser automatically calculates the correct zone, either Internet or Intranet, from a
specific URL. For example, http://contoso/ maps to the Intranet zone, whereas
http://intranet.contoso.com/ maps to the Internet zone.
Browsers will not send Kerberos tickets to a cloud endpoint, like the Azure AD URL, unless you
explicitly add the URL to the browser's Intranet zone.
1. Edit the group policy that's applied to some or all your users. This example uses Default
Domain Policy.
2. Browse to User Configuration > Policy > Administrative Templates > Windows Components >
Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone
Assignment List.
3. Enable the policy, and then enter the following values in the dialog box:
The Azure AD URL where the Kerberos tickets are forwarded.
Value name: https://autologon.microsoftazuread-sso.com
Value (Data): 1
Note: - If you want to disallow some users from using Seamless SSO (for instance, if these users sign
in on shared kiosks), set the preceding values to 4. This action adds the Azure AD URL to the
restricted zone, and fails Seamless SSO all the time.
1. Browse to User Configuration > Policy > Administrative Templates > Windows Components >
Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow
updates to status bar via script.
To test the feature for a specific user, ensure that all the following conditions are in place:
To test the scenario where the user enters only the username, but not the password:
To test the scenario where the user doesn't have to enter the username or the password, use one of
these steps: