Turning off Seamless single sign-on - AZUREADSSOACC - Seamless SSO object for Microsoft Entra Connect

EnterpriseArchitect 5,516 Reputation points
2024-11-27T06:28:57.7+00:00

I need some help and guidance in Turning off Seamless single sign-on as we are already using Hybrid Azure AD / Entra ID with Password Hash Sync.

Screenshot 2024-11-27 172223

There is an AD object called AZUREADSSOACC - Seamless SSO object for Microsoft Entra Connect.

Screenshot 2024-11-27 172547

What will be the procedure and the caveats or the impact when this is turned off during business hours?

Any help would be greatly appreciated.

Thank you in advance.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,764 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,282 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,645 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 151K Reputation points MVP
    2024-11-27T13:01:13.8633333+00:00

    Hi, I recently did this and followed:

    No need to disable off hours.

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-faq#how-can-i-disable-seamless-sso-

    Issues I encountered:

    I was unable to disable via the AADConnect Wizard. It simply said it couldnt be disabled. Not sure why ( We have two AADConnect Servers)

    I used the powershell steps to disable and that worked.

    Making the change in powershell does NOT clear the checkbox for Seamless SSO in the Wizard but thats fine.

    2nd issue encountered: There was a process to logon to an Azure SQL database that used integrated Windows Auth, it began to fail after that. Once it was changed to ActiveDirectoryPassword, it worked

    https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-using-azure-active-directory-authentication?view=sql-server-ver16#connect-using-activedirectorydefault-authentication-mode

    Otherwise, no complaints from any end-users. Even if your users are not on Windows 11, disabling does not prevent them from accessing Azure workloads so there is really no downside to disabling this and I would recommend you do as its a security issue to have it enabled.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. FrankEscarosBuechsel-MSFT 575 Reputation points Microsoft Employee
    2024-11-27T09:53:09.58+00:00

    Hi @EnterpriseArchitect • Thank you for reaching out.

    You are looking for possible side effects and the actual process of disabling Seamless Single-Sign On from reading through your question.

    Seamless SSO allows for the browser to create a background challenge to receive a ticket via the process described in this Learn article: How does Seamless SSO work?. Once an authentication challenge has been passed nothing will happen until the authentication expires. On expiry depending on other authentication factors possible your users may be challenged to re-authenticate, in other words your users may get challenged to enter their user name and password and potentially other factors again, depending on the overall setup you are running in the worst case once their existing logins expire.

    The detailed process on how to disable Seamless SSO is described in the following Learn article: How can I disable Seamless SSO?.

    I will leave a high level summary for that process here as well, the details for each step are referenced in the above documentation:

    1. Disable the feature on your tenant via either Entra Connect or PowerShell (Disabling Seamless SSO using PowerShell won't change the state in Microsoft Entra Connect. Seamless SSO shows as enabled in the Change user sign-in page.)
    2. Get list of AD forests where Seamless SSO has been enabled via PowerShell (this is to complete step 3 fully, if you have a relatively small Active Directory implementation this may not be necessary for your use case)
    3. Manually delete the **AZUREADSSO **computer account from each AD forest that you see listed.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.