Enabling Seamless Single Sign-On when using Azure AD Connect Cloud Provisioning

Microsoft has not currently made it easy to figure out how to configure Seamless Single Sign-On when using AAD Connect Cloud Provisioning. Here is how!

This blog post assumes that you have already followed the Microsoft guides to install and configure Cloud Provisioning, but here are a few quick screenshots.

Accept and install
Authenticate with a global administrator account
Add you domain using your domain admin credentials. These credentials are not stored.
Voila, the setup is completed.
The “New configuration” button is now available – click it
Configure your domain, group / OU filters etc. and save.

So, how you have your users in Azure AD, but Seamless SSO is listed as a supported feature for Azure AD Connect Cloud Provisioning, but where to configure it?

Well, right now Microsoft has not made this easy. First, add https://autologon.microsoftazuread-sso.com as a local intranet site in a GPO or other means.

Second, you need to use PowerShell, and you need multiple files from a regular Azure AD Connect installation. These files can be found HERE – but if you don’t trust my zip file, you can install Azure AD Connect yourself and extract it (no need to run the whole wizard). The files you need are as follows, and can be found in ‘%programfiles%\Microsoft Azure Active Directory Connect’:

  • AzureADSSO.psd1
  • Microsoft.IdentityModel.Clients.ActiveDirectory.dll
  • Microsoft.KerberosAuth.KerberosAuthInterface.dll
  • Microsoft.KerberosAuth.PowerShell.dll

Save the zip file in c:\temp, extract it and run the following PowerShell cmdlets (one by one for simpler troubleshooting). The cmdlet is referenced more detailed here.

Unblock-File c:\temp\AzureADSSO.psd1
Unblock-File c:\temp\Microsoft.IdentityModel.Clients.ActiveDirectory.dll
Unblock-File c:\temp\Microsoft.KerberosAuth.KerberosAuthInterface.dll
Unblock-File c:\temp\Microsoft.KerberosAuth.PowerShell.dll 

Install-Module AzureAD
Import-Module .\AzureADSSO.psd1
New-AzureADSSOAuthenticationContext # Use your global administrator
Enable-AzureADSSOForest # Use your domain admin credentials when prompted
Enable-AzureADSSO -Enable $true
Voila, “Seamless single sign-on” is now Enabled

Again: Remember to add https://autologon.microsoftazuread-sso.com as a local intranet site in a GPO or other means.

Good luck! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s