Microsoft has not currently made it easy to figure out how to configure Seamless Single Sign-On when using AAD Connect Cloud Provisioning. Here is how!
This blog post assumes that you have already followed the Microsoft guides to install and configure Cloud Provisioning, but here are a few quick screenshots.
So, how you have your users in Azure AD, but Seamless SSO is listed as a supported feature for Azure AD Connect Cloud Provisioning, but where to configure it?
Well, right now Microsoft has not made this easy. First, add https://autologon.microsoftazuread-sso.com as a local intranet site in a GPO or other means.
Second, you need to use PowerShell, and you need multiple files from a regular Azure AD Connect installation. These files can be found HERE – but if you don’t trust my zip file, you can install Azure AD Connect yourself and extract it (no need to run the whole wizard). The files you need are as follows, and can be found in ‘%programfiles%\Microsoft Azure Active Directory Connect’:
- AzureADSSO.psd1
- Microsoft.IdentityModel.Clients.ActiveDirectory.dll
- Microsoft.KerberosAuth.KerberosAuthInterface.dll
- Microsoft.KerberosAuth.PowerShell.dll
Save the zip file in c:\temp, extract it and run the following PowerShell cmdlets (one by one for simpler troubleshooting). The cmdlet is referenced more detailed here.
Unblock-File c:\temp\AzureADSSO.psd1
Unblock-File c:\temp\Microsoft.IdentityModel.Clients.ActiveDirectory.dll
Unblock-File c:\temp\Microsoft.KerberosAuth.KerberosAuthInterface.dll
Unblock-File c:\temp\Microsoft.KerberosAuth.PowerShell.dll
Install-Module AzureAD
Import-Module .\AzureADSSO.psd1
New-AzureADSSOAuthenticationContext # Use your global administrator
Enable-AzureADSSOForest # Use your domain admin credentials when prompted
Enable-AzureADSSO -Enable $true
Again: Remember to add https://autologon.microsoftazuread-sso.com as a local intranet site in a GPO or other means.
Good luck! 🙂
Good Workaround! 