Unit 5: Explore Pass-Through Authentication and Seamless Single Sign-On (SSO)
1. Overview of Seamless Single Sign-On (Seamless SSO)
Microsoft Entra Seamless Single Sign-On (SSO) is a feature that enables users on domain-joined corporate devices to sign in to Microsoft Entra ID (Azure AD) automatically — without having to type in their username or password again.
When Seamless SSO is enabled, users who are already logged into their Windows domain accounts are automatically signed into Microsoft 365 or other cloud apps when using browsers or supported native clients — as long as they are connected to the corporate network.
Key idea:
- Seamless SSO doesn’t replace authentication methods (like PHS or PTA).
- Instead, it enhances them by removing the need for users to re-enter credentials.
It provides the same “single sign-on” experience you would expect inside a traditional enterprise network, but extended into Microsoft Entra-based cloud services.
2. Benefits of Seamless SSO
| Benefit | Description |
|---|
| Improved user experience | Users automatically sign in without typing passwords when on the corporate network. |
| No additional infrastructure | Works with existing AD DS and Entra Connect — no AD FS or proxy servers required. |
| Easy to deploy and manage | Can be enabled through Entra Connect with a few clicks. |
| Secure and standards-based | Uses Kerberos authentication, the same protocol trusted in Active Directory. |
| Flexible deployment | Can be rolled out to specific users via Group Policy before organization-wide rollout. |
3. How Seamless SSO Works (Web Browser Flow)
Let’s go step-by-step through what happens when a user signs in through a web browser such as Microsoft Edge or Chrome.
- User accesses a cloud resource.
Example: A user opens from a domain-joined workstation on the corporate network.
- User is redirected to the Microsoft Entra sign-in page.
The sign-in page detects that Seamless SSO is enabled for the tenant.
- User enters their username (UPN).
As soon as the username domain (e.g., contoso.com) is recognized, Microsoft Entra ID triggers a Kerberos challenge behind the scenes.
- Kerberos ticket request.
- Microsoft Entra ID sends a 401 Unauthorized response to the browser, asking for Kerberos authentication.
- The browser contacts Active Directory to request a Kerberos ticket for the special service account called AZUREADSSOACC.
- This computer account was automatically created in AD when Seamless SSO was enabled.
- Ticket issuance.
- AD returns a Kerberos service ticket encrypted with the AZUREADSSOACC account’s secret key.
- The browser forwards the ticket to Microsoft Entra ID.
- Microsoft Entra ID validates the ticket.
- Microsoft Entra ID decrypts the Kerberos ticket and verifies the user’s identity.
- If successful, Entra ID issues a token and the user is logged in automatically — no password required.
This flow is entirely transparent to the user.
4. How Seamless SSO Works (Native Client Flow)
The same principles apply when users connect via native applications (like the Outlook desktop client).
- The native app retrieves the user’s domain credentials from the current Windows logon session.
- The app contacts Microsoft Entra ID and requests authentication through a WS-Trust MEX endpoint.
- Microsoft Entra ID issues a Kerberos challenge.
- The app obtains a Kerberos ticket for the AZUREADSSOACC account from AD.
- The app presents the ticket to Microsoft Entra ID, which validates it and issues tokens (access, refresh, and ID tokens).
- The user gains access to the app without re-entering credentials.
This mechanism ensures that both web-based and desktop clients enjoy passwordless access inside the network.
5. The AZUREADSSOACC Account Explained
When Seamless SSO is enabled, Microsoft Entra Connect automatically creates a computer account named AZUREADSSOACC in your on-premises Active Directory.
Purpose:
- Acts as a service account to facilitate Kerberos authentication between AD DS and Microsoft Entra ID.
- Stores a long, random cryptographic key that is also securely shared with Microsoft Entra ID.
Location:
- Created in the same AD forest where Entra Connect is installed, typically under the Computers container.
- You can relocate it later to a more secure OU if desired.
Security note:
- Never modify or reset the password of this account manually.
- It has no logon permissions and is used solely for Kerberos ticket encryption/decryption.
6. Enabling Seamless SSO
You can enable Seamless SSO during or after the installation of Microsoft Entra Connect.
Option 1: During Installation
- Launch Microsoft Entra Connect.
- Choose either Password Hash Synchronization or Pass-Through Authentication as your sign-in method.
- On the “Enable single sign-on” screen, select Enable single sign-on.
- Provide domain administrator credentials when prompted — this allows Entra Connect to create the AZUREADSSOACC account and set up the required SPNs (Service Principal Names).
- Complete the wizard.
Option 2: After Installation
- Open Microsoft Entra Connect Wizard → Change user sign-in.
- Select your existing authentication method (PHS or PTA).
- Check the box for Enable single sign-on.
- Enter domain admin credentials.
- Complete setup.
Once enabled, Seamless SSO is automatically turned on for all users whose devices are domain-joined and connected to the internal corporate network.
7. Testing Seamless SSO
To verify that Seamless SSO is working:
- Log in to a domain-joined machine.
- Open a browser like Microsoft Edge or Chrome.
- Navigate to .
- You should be signed in automatically without entering your password.
If you are prompted for credentials, check:
- Whether the user’s device is domain-joined.
- Whether the machine is on the internal network (not through VPN).
- Whether the browser supports Integrated Windows Authentication (IWA).
- Whether the AZUREADSSOACC SPN exists and is accessible.
8. Browser Configuration
Only browsers that support Kerberos authentication can be used for Seamless SSO.
Supported Browsers:
- Microsoft Edge (recommended)
- Internet Explorer (on Windows)
- Google Chrome (on Windows, with policies configured)
- Mozilla Firefox (with manual settings)
Browser Settings:
- Add Microsoft Entra URLs (like https://login.microsoftonline.com and https://autologon.microsoftazuread-sso.com) to the Local Intranet zone in Windows Internet Options.
- For Chrome and Firefox, enable “Allow automatic logon only in Intranet zone” or use a GPO to configure automatic authentication.
9. Interaction Between Seamless SSO, PHS, and PTA
Seamless SSO doesn’t handle authentication alone — it works alongside an existing sign-in method.
| Feature | Handles Password Verification | Handles Silent Sign-In |
|---|
| Password Hash Sync (PHS) | Microsoft Entra ID | Seamless SSO (via Kerberos) |
| Pass-Through Authentication (PTA) | On-prem AD (via agents) | Seamless SSO (via Kerberos) |
- Without Seamless SSO: Users must type their credentials into the Entra sign-in page, even on corporate devices.
- With Seamless SSO: The credentials are obtained automatically from the Windows logon session, skipping the password prompt entirely.
10. Security Considerations
- Seamless SSO only works when users are inside the corporate network — it doesn’t bypass MFA or Conditional Access.
- The Kerberos ticket expires periodically; after expiration, users might need to sign in again or obtain a new ticket automatically.
- Seamless SSO supports PHS and PTA, but not Federation (AD FS). Federated environments already provide their own SSO experience.
- Ensure your domain controllers are reachable from clients for Kerberos authentication.
- Protect the AZUREADSSOACC account — consider denying logon locally and interactively as part of hardening.
11. Troubleshooting Seamless SSO
Common issues and their solutions:
| Issue | Possible Cause | Resolution |
|---|
| Users are prompted for credentials | Browser not configured for IWA or not in intranet zone | Add Entra URLs to Intranet zone / enable “Automatic logon” |
| Seamless SSO not working at all | AZUREADSSOACC account missing or disabled | Re-run Entra Connect Wizard and re-enable Seamless SSO |
| Kerberos error “KDC_ERR_S_PRINCIPAL_UNKNOWN” | SPN missing from AZUREADSSOACC | Use PowerShell to verify and restore SPN: setspn -L AZUREADSSOACC |
| Works internally but not via VPN | Kerberos doesn’t function over VPN if ticketing ports are blocked | Use Conditional Access or VPN split tunneling for external sign-ins |
12. Real-World Example
Scenario:
Contoso Manufacturing uses Pass-Through Authentication but wants a smoother sign-in experience for employees working in the main office.
Solution:
- Enable Seamless SSO through Entra Connect.
- Deploy Group Policy to automatically configure browser settings on all domain-joined PCs.
- Keep PTA as the main authentication method to enforce real-time password validation.
Result:
Employees at headquarters open Outlook, Teams, or SharePoint and are signed in automatically — no passwords required.
Remote workers still enter credentials, ensuring security outside the network.
13. Exam Tips
- Seamless SSO works only with PHS or PTA, not with AD FS (federation).
- It uses the Kerberos protocol and the AZUREADSSOACC computer account in AD.
- Users must be domain-joined and on the internal network.
- Browsers must support Integrated Windows Authentication (IWA).
- Seamless SSO simplifies user experience — it does not replace authentication or enforce Conditional Access.
- To enable: rerun Entra Connect → Change user sign-in → check Enable single sign-on.
14. Summary
Seamless Single Sign-On bridges the user experience gap between on-premises and cloud authentication.
It provides:
- Frictionless access for users on corporate networks.
- No extra infrastructure requirements.
- Integration with PHS and PTA for secure, password-based sign-ins.
By leveraging Kerberos authentication and the AZUREADSSOACC service account, Seamless SSO delivers the best of both worlds — simplicity for users and control for administrators.