Azure Active Directory Seamless Single Sign-On: Quick start

Deploy Seamless Single Sign-On

Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) automatically signs in users when they are on their corporate desktops that are connected to your corporate network. Seamless SSO provides your users with easy access to your cloud-based applications without needing any additional on-premises components.

To deploy Seamless SSO, follow these steps.

Step 1: Check the prerequisites

Ensure that the following prerequisites are in place:

  • Set up your Azure AD Connect server: If you use Pass-through Authentication as your sign-in method, no additional prerequisite check is required. If you use password hash synchronization as your sign-in method, and if there is a firewall between Azure AD Connect and Azure AD, ensure that:

    • You use version 1.1.644.0 or later of Azure AD Connect.
    • If your firewall or proxy allows DNS whitelisting, whitelist the connections to the *.msappproxy.net URLs over port 443. If not, allow access to the Azure datacenter IP ranges, which are updated weekly. This prerequisite is applicable only when you enable the feature. It is not required for actual user sign-ins.

      Note

      Azure AD Connect versions 1.1.557.0, 1.1.558.0, 1.1.561.0, and 1.1.614.0 have a problem related to password hash synchronization. If you don't intend to use password hash synchronization in conjunction with Pass-through Authentication, read the Azure AD Connect release notes to learn more.

  • Set up domain administrator credentials: You need to have domain administrator credentials for each Active Directory forest that:

    • You synchronize to Azure AD through Azure AD Connect.
    • Contains users you want to enable for Seamless SSO.

Step 2: Enable the feature

Enable Seamless SSO through Azure AD Connect.

If you're doing a fresh installation of Azure AD Connect, choose the custom installation path. At the User sign-in page, select the Enable single sign on option.

Azure AD Connect: User sign-in

If you already have an installation of Azure AD Connect, select the Change user sign-in page in Azure AD Connect, and then select Next.

Azure AD Connect: Change the user sign-in

Continue through the wizard until you get to the Enable single sign on page. Provide domain administrator credentials for each Active Directory forest that:

  • You synchronize to Azure AD through Azure AD Connect.
  • Contains users you want to enable for Seamless SSO.

After completion of the wizard, Seamless SSO is enabled on your tenant.

Note

The domain administrator credentials are not stored in Azure AD Connect or in Azure AD. They're used only to enable the feature.

Follow these instructions to verify that you have enabled Seamless SSO correctly:

  1. Sign in to the Azure Active Directory administrative center with the global administrator credentials for your tenant.
  2. Select Azure Active Directory in the left pane.
  3. Select Azure AD Connect.
  4. Verify that the Seamless single sign-on feature appears as Enabled.

Azure portal: Azure AD Connect pane

Step 3: Roll out the feature

To roll out the feature to your users, you need to add the following Azure AD URLs to the users' Intranet zone settings by using Group Policy in Active Directory:

In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy.

Note

The following instructions work only for Internet Explorer and Google Chrome on Windows (if it shares a set of trusted site URLs with Internet Explorer). Read the next section for instructions on how to set up Mozilla Firefox and Google Chrome on Mac.

Why do you need to modify users' Intranet zone settings?

By default, the browser automatically calculates the correct zone, either Internet or Intranet, from a specific URL. For example, "http://contoso/" maps to the Intranet zone, whereas "http://intranet.contoso.com/" maps to the Internet zone (because the URL contains a period). Browsers don't send Kerberos tickets to a cloud endpoint, like the two Azure AD URLs, unless you explicitly add the URL the browser's Intranet zone.

Detailed steps

  1. Open the Group Policy Management Editor tool.
  2. Edit the group policy that's applied to some or all your users. This example uses Default Domain Policy.
  3. Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone Assignment List. Single sign-on
  4. Enable the policy, and then enter the following values in the dialog box:

    • Value name: The Azure AD URLs where the Kerberos tickets are forwarded.
    • Value (Data): 1 indicates the Intranet zone.

    The result looks like this:

    Value: https://autologon.microsoftazuread-sso.com

    Data: 1

    Value: https://aadg.windows.net.nsatc.net

    Data: 1

    Note

    If you want to disallow some users from using Seamless SSO (for instance, if these users sign in on shared kiosks), set the preceding values to 4. This action adds the Azure AD URLs to the Restricted zone, and fails Seamless SSO all the time.

  5. Select OK, and then select OK again.

    Single sign-on

  6. Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow updates to status bar via script.

    Single sign-on

  7. Enable the policy setting, and then select OK.

    Single sign-on

Browser considerations

Mozilla Firefox (all platforms)

Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URLs to their Firefox settings by using the following steps:

  1. Run Firefox and enter about:config in the address bar. Dismiss any notifications that you see.
  2. Search for the network.negotiate-auth.trusted-uris preference. This preference lists Firefox's trusted sites for Kerberos authentication.
  3. Right-click and select Modify.
  4. Enter https://autologon.microsoftazuread-sso.com, https://aadg.windows.net.nsatc.net in the field.
  5. Select OK and then reopen the browser.

Safari (Mac OS)

Ensure that the machine running the Mac OS is joined to Azure AD. For instructions on joining Azure AD, see Best Practices for Integrating OS X with Active Directory.

Google Chrome (all platforms)

If you have overriden the AuthNegotiateDelegateWhitelist or the AuthServerWhitelist policy settings in your environment, ensure that you add Azure AD's URLs (https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net) to them as well.

Google Chrome (Mac OS only)

For Google Chrome on Mac OS and other non-Windows platforms, refer to The Chromium Project Policy List for information on how to whitelist the Azure AD URLs for integrated authentication.

The use of third-party Active Directory Group Policy extensions to roll out the Azure AD URLs to Firefox and Google Chrome on Mac users is outside the scope of this article.

Known browser limitations

Seamless SSO doesn't work in private browsing mode on Firefox and Edge browsers. It also doesn't work on Internet Explorer if the browser is running in Enhanced Protected mode.

Step 4: Test the feature

To test the feature for a specific user, ensure that all the following conditions are in place:

  • The user signs in on a corporate device.
  • The device is joined to your Active Directory domain.
  • The device has a direct connection to your domain controller (DC), either on the corporate wired or wireless network or via a remote access connection, such as a VPN connection.
  • You have rolled out the feature to this user through Group Policy.

To test the scenario where the user enters only the username, but not the password:

To test the scenario where the user doesn't have to enter the username or the password, use one of these steps:

Step 5: Roll over keys

In Step 2, Azure AD Connect creates computer accounts (representing Azure AD) in all the Active Directory forests on which you have enabled Seamless SSO. To learn more, see Azure Active Directory Seamless Single Sign-On: Technical deep dive. For improved security, we recommend that you periodically roll over the Kerberos decryption keys of these computer accounts. For instructions on how to roll over keys, see Azure Active Directory Seamless Single Sign-On: Frequently asked questions.

Important

You don't need to do this step immediately after you have enabled the feature. Roll over the Kerberos decryption keys at least once every 30 days.

Next steps

  • Technical deep dive: Understand how the Seamless Single Sign-On feature works.
  • Frequently asked questions: Get answers to frequently asked questions about Seamless Single Sign-On.
  • Troubleshoot: Learn how to resolve common problems with the Seamless Single Sign-On feature.
  • UserVoice: Use the Azure Active Directory Forum to file new feature requests.