Microsoft Entra seamless single sign-on: Frequently asked questions

In this article, we address frequently asked questions about Microsoft Entra seamless single sign-on (Seamless SSO). Keep checking back for new content.

What sign-in methods do Seamless SSO work with

Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods. However this feature can't be used with Active Directory Federation Services (ADFS).

Is Seamless SSO a free feature?

Seamless SSO is a free feature and you don't need any paid editions of Microsoft Entra ID to use it.

Is Seamless SSO available in the Microsoft Azure Germany cloud and the Microsoft Azure Government cloud?

Seamless SSO is available for the Azure Government cloud. For details, view Hybrid Identity Considerations for Azure Government.

What applications take advantage of `domain_hint` or `login_hint` parameter capability of Seamless SSO?

The table has a list of applications that can send these parameters to Microsoft Entra ID. This action provides users a silent sign-on experience using Seamless SSO.:

Application name Application URL to be used
Access panel https://myapps.microsoft.com/contoso.com
Outlook on Web https://outlook.office365.com/contoso.com
Office 365 portals https://portal.office.com?domain_hint=contoso.com, https://www.office.com?domain_hint=contoso.com

In addition, users get a silent sign-on experience if an application sends sign-in requests to Microsoft Entra endpoints set up as tenants - that is, https://login.microsoftonline.com/contoso.com/<..> or https://login.microsoftonline.com/<tenant_ID>/<..> - instead of the Microsoft Entra common endpoint - that is, https://login.microsoftonline.com/common/<...>. The table has a list of applications that make these types of sign-in requests.

Application name Application URL to be used
SharePoint Online https://contoso.sharepoint.com
Microsoft Entra admin center https://portal.azure.com/contoso.com

In the above tables, replace "contoso.com" with your domain name to get to the right application URLs for your tenant.

If you want other applications using our silent sign-on experience, let us know in the feedback section.

Does Seamless SSO support `Alternate ID` as the username, instead of `userPrincipalName`?

Yes. Seamless SSO supports Alternate ID as the username when configured in Microsoft Entra Connect as shown here. Not all Microsoft 365 applications support Alternate ID. Refer to the specific application's documentation for the support statement.

What is the difference between the single sign-on experience provided by Microsoft Entra join and Seamless SSO?

Microsoft Entra join provides SSO to users if their devices are registered with Microsoft Entra ID. These devices don't necessarily have to be domain-joined. SSO is provided using primary refresh tokens or PRTs, and not Kerberos. The user experience is most optimal on Windows 10 devices. SSO happens automatically on the Microsoft Edge browser. It also works on Chrome with the use of a browser extension.

You can use Microsoft Entra join and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO from Microsoft Entra join takes precedence over Seamless SSO.

I want to register non-Windows 10 devices with Microsoft Entra ID, without using AD FS. Can I use Seamless SSO instead?

Yes, this scenario needs version 2.1 or later of the workplace-join client.

How can I roll over the Kerberos decryption key of the `AZUREADSSO` computer account?

It's important to frequently roll over the Kerberos decryption key of the AZUREADSSO computer account (which represents Microsoft Entra ID) created in your on-premises AD forest.

Important

We highly recommend that you roll over the Kerberos decryption key at least every 30 days.

Follow these steps on the on-premises server where you're running Microsoft Entra Connect:

Note

You'll need domain administrator and global administrator/hybrid identity administrator credentials for the steps. If you're not a domain admin and you were assigned permissions by the domain admin, you should call Update-AzureADSSOForest -OnPremCredentials $creds -PreserveCustomPermissionsOnDesktopSsoAccount

Step 1. Get list of AD forests where Seamless SSO has been enabled

  1. First, download, and install Azure AD PowerShell.
  2. Navigate to the $env:programfiles"\Microsoft Azure Active Directory Connect" folder.
  3. Import the Seamless SSO PowerShell module using this command: Import-Module .\AzureADSSO.psd1.
  4. Run PowerShell as an Administrator. In PowerShell, call New-AzureADSSOAuthenticationContext. This command should give you a popup to enter your tenant's Global Administrator or Hybrid Identity Administrator credentials.
  5. Call Get-AzureADSSOStatus | ConvertFrom-Json. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.

Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on

  1. Call $creds = Get-Credential. When prompted, enter the Domain Administrator credentials for the intended AD forest.

Note

The domain administrator credentials username must be entered in the SAM account name format (contoso\johndoe or contoso.com\johndoe). We use the domain portion of the username to locate the Domain Controller of the Domain Administrator using DNS.

Note

The domain administrator account used must not be a member of the Protected Users group. If so, the operation will fail.

  1. Call Update-AzureADSSOForest -OnPremCredentials $creds. This command updates the Kerberos decryption key for the AZUREADSSO computer account in this specific AD forest and updates it in Microsoft Entra ID.

  2. Repeat the preceding steps for each AD forest that you’ve set up the feature on.

Note

If you're updating a forest, other than the Microsoft Entra Connect one, make sure connectivity to the global catalog server (TCP 3268 and TCP 3269) is available.

Important

This doesn't need to be done on servers running Microsoft Entra Connect in staging mode. Ensure that you don't run the Update-AzureADSSOForest command more than once per forest. Otherwise, the feature stops working until the time your users' Kerberos tickets expire and are reissued by your on-premises Active Directory.

How can I disable Seamless SSO?

Step 1. Disable the feature on your tenant

Option A: Disable using Microsoft Entra Connect

  1. Run Microsoft Entra Connect, choose Change user sign-in page and click Next.
  2. Uncheck the Enable single sign-on option. Continue through the wizard.

After completing the wizard, Seamless SSO will be disabled on your tenant. However, you'll see a message on screen that reads as follows:

"Single sign-on is now disabled, but there are other manual steps to perform in order to complete clean-up. Learn more"

To complete the clean-up process, follow steps 2 and 3 on the on-premises server where you're running Microsoft Entra Connect.

Option B: Disable using PowerShell

Run the following steps on the on-premises server where you're running Microsoft Entra Connect:

  1. First, download, and install Azure AD PowerShell.
  2. Navigate to the $env:ProgramFiles"\Microsoft Azure Active Directory Connect" folder.
  3. Import the Seamless SSO PowerShell module using this command: Import-Module .\AzureADSSO.psd1.
  4. Run PowerShell as an Administrator. In PowerShell, call New-AzureADSSOAuthenticationContext. This command should give you a popup to enter your tenant's Global Administrator or Hybrid Identity Administrator credentials.
  5. Call Enable-AzureADSSO -Enable $false.

At this point Seamless SSO is disabled but the domains will remain configured in case you would like to enable Seamless SSO back. If you would like to remove the domains from Seamless SSO configuration completely, call the following cmdlet after you completed step 5 above: Disable-AzureADSSOForest -DomainFqdn <fqdn>.

Important

Disabling Seamless SSO using PowerShell won't change the state in Microsoft Entra Connect. Seamless SSO will show as enabled in the Change user sign-in page.

Step 2. Get list of AD forests where Seamless SSO has been enabled

Follow tasks 1 through 4 if you have disabled Seamless SSO using Microsoft Entra Connect. If you have disabled Seamless SSO using PowerShell instead, jump ahead to task 5.

  1. First, download, and install Azure AD PowerShell.
  2. Navigate to the $env:ProgramFiles"\Microsoft Azure Active Directory Connect" folder.
  3. Import the Seamless SSO PowerShell module using this command: Import-Module .\AzureADSSO.psd1.
  4. Run PowerShell as an Administrator. In PowerShell, call New-AzureADSSOAuthenticationContext. This command should give you a popup to enter your tenant's Global Administrator or Hybrid Identity Administrator credentials.
  5. Call Get-AzureADSSOStatus | ConvertFrom-Json. This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.

Step 3. Manually delete the AZUREADSSO computer account from each AD forest that you see listed.

Next steps