Azure Seamless SSO on domain joined device

Paul S 1 Reputation point
2024-06-20T20:44:24.62+00:00

If I have a AD domain joined Windows 10 22H2 device that is only Entra ID registered then full SSO will never work, but if I configure Azure Seamless SSO the following only works:- Office 365 Apps login (excl. Teams)- Browser SSO such as to https://portal.office.comWhat doesn't work is automatically logging into Teams, where you will always have to authenticate. You also need to enter your password to log in to Edge itself. Is this correct?For the device it doesn't need to be synced to Entra ID using AADConnect?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,045 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,131 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,314 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fabio Andrade 725 Reputation points Microsoft Employee
    2024-06-20T22:14:00.1233333+00:00

    Hi @Paul S

    Thanks for reaching out to Microsoft Q&A.

    If your device is registered, and you have an Entra ID account, the device will use an artifact called "PRT" (Primary Refresh Token) for SSO. Since the device is already registered, there's no need to sync it from your onpremises infra. You can definitely enable SSSO on your Entra ID Connect though as it won't do any harm to your current environment.

    https://video2.skills-academy.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso#sso-via-primary-refresh-token-vs-seamless-sso

    User's image

    Let me know if you have any questions.

    Thanks,

    Fabio

    0 comments
  2. Neuvi Jiang 465 Reputation points Microsoft Vendor
    2024-06-21T07:57:38.85+00:00

    Hi Paul S,

    Thank you for posting in the Q&A Forums.

    For Seamless SSO to work fully between Windows 10 22H2 AD domain devices and Azure AD, you may want to consider the following:

    Ensure that the synchronization between Azure AD and the local AD (if applicable) is configured correctly and that a tool such as AADConnect is used for synchronization.

    Check the configuration and policy settings for Teams and Edge browsers to ensure that they support seamless SSO for Azure AD.

    Consider using other authentication methods (e.g., OAuth, SAML, etc.) to enhance the SSO experience if needed.

    Best regards

    NeuviJ

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments