Turning off Seamless single sign-on - AZUREADSSOACC - Seamless SSO object for Microsoft Entra Connect

Question

I need some help and guidance in Turning off Seamless single sign-on as we are already using Hybrid Azure AD / Entra ID with Password Hash Sync.

There is an AD object called AZUREADSSOACC - Seamless SSO object for Microsoft Entra Connect.

What will be the procedure and the caveats or the impact when this is turned off during business hours?

Any help would be greatly appreciated.

Thank you in advance.

Answer 1

Hi, I recently did this and followed:

No need to disable off hours.

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-faq#how-can-i-disable-seamless-sso-

Issues I encountered:

I was unable to disable via the AADConnect Wizard. It simply said it couldnt be disabled. Not sure why ( We have two AADConnect Servers)

I used the powershell steps to disable and that worked.

Making the change in powershell does NOT clear the checkbox for Seamless SSO in the Wizard but thats fine.

2nd issue encountered: There was a process to logon to an Azure SQL database that used integrated Windows Auth, it began to fail after that. Once it was changed to ActiveDirectoryPassword, it worked

https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-using-azure-active-directory-authentication?view=sql-server-ver16#connect-using-activedirectorydefault-authentication-mode

Otherwise, no complaints from any end-users. Even if your users are not on Windows 11, disabling does not prevent them from accessing Azure workloads so there is really no downside to disabling this and I would recommend you do as its a security issue to have it enabled.

Answer 2

Hi @EnterpriseArchitect • Thank you for reaching out.

You are looking for possible side effects and the actual process of disabling Seamless Single-Sign On from reading through your question.

Seamless SSO allows for the browser to create a background challenge to receive a ticket via the process described in this Learn article: How does Seamless SSO work?. Once an authentication challenge has been passed nothing will happen until the authentication expires. On expiry depending on other authentication factors possible your users may be challenged to re-authenticate, in other words your users may get challenged to enter their user name and password and potentially other factors again, depending on the overall setup you are running in the worst case once their existing logins expire.

The detailed process on how to disable Seamless SSO is described in the following Learn article: How can I disable Seamless SSO?.

I will leave a high level summary for that process here as well, the details for each step are referenced in the above documentation:

1. Disable the feature on your tenant via either Entra Connect or PowerShell (Disabling Seamless SSO using PowerShell won't change the state in Microsoft Entra Connect. Seamless SSO shows as enabled in the Change user sign-in page.)
2. Get list of AD forests where Seamless SSO has been enabled via PowerShell (this is to complete step 3 fully, if you have a relatively small Active Directory implementation this may not be necessary for your use case)
3. Manually delete the **AZUREADSSO **computer account from each AD forest that you see listed.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.