by Kevin Griffith
Technical Account Manager, E-N Computers
4+ years providing IT strategy and IT support
Updated December 16, 2024
Single sign-on (SSO) simplifies user authentication for end users and organizations by maintaining a single set of credentials that can be used to access multiple applications. It benefits companies looking to save time, money, and frustration on password management.
But it’s even more convenient and secure if we can automatically sign users into apps and services. There are two ways to do this: an old way for Windows 7 and 8.1, and a new way for Windows 10 and above.
If you still have Windows 7 or 8.1 in general use, we strongly recommend phasing them out as soon as possible. They do not get security updates from Microsoft. If you still have computers with these operating systems and they must have seamless SSO enabled, you can find the instructions below.
Everywhere possible, you should be using Windows 10 and above. If all your computers are running at least Windows 10, then you do not need to enable seamless SSO. In fact, doing so is a security risk. These devices use a more modern and secure implementation called SSO via primary refresh token (PRT).
In both cases, you should know about these three main components:
- Active Directory is on-premise software that maintains a directory, or list, of users, computers, and other resources. It handles authentication for users and computers on your network.
- Entra ID, which used to be called Azure Active Directory, is a cloud-based identity and access management solution. The name was changed as part of Microsoft’s effort to unify identity access management under a single product family.
- Entra Connect synchronizes Active Directory and Entra ID so that users have a single set of credentials across local and cloud resources.
The basic SSO features you need for these instructions are included for free with Microsoft 365. Our favorite way to compare plan features is m365maps.com.
Is SSO secure and compliant?
SSO is secure and compliant with regulations like HIPAA and CMMC when implemented correctly. A few factors that help to make SSO more secure and compliant are:
- Multi-factor authentication (MFA): Using MFA with your SSO greatly improves security by requiring an additional verification, like entering a one-time code or tapping a confirmation, to complete sign-in. This is an essential access control measure when using SSO and dealing with sensitive information.
- Audit trail: Comprehensive monitoring and logging of SSO allows you to track sign-ins and detect unauthorized attempts to access systems.
- Role-based access: Assign access to role groups rather than individual users. This way people can only access and modify what they need to do their job, and access can be easily updated if their role changes.
SSO via primary refresh token (PRT) for Windows 10 and above
For devices using Windows 10 or later, Microsoft recommends using SSO via primary refresh token (PRT). This works for devices that are Microsoft Entra joined, Microsoft Entra hybrid joined, or Microsoft Entra registered. If you already have an Active Directory environment then you’ll be using hybrid join, which makes it possible to use SSO for on-premise line of business apps, file shares, and printers.
To enable SSO via PRT for a hybrid environment, you need to:
- Open Entra Connect on your domain controller, go to Configure > Configure device options, and use the wizard.
- Create a new group policy (GPO) to enable Register domain-joined computers as devices and link it to the appropriate OU. This policy is located under Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.
- Run Command Prompt as admin on a domain-joined computer and verify its registration by running dsregcmd /status. Look for AzureAdJoined to be set to YES.
Once a device is registered and a user logs in, SSO will be enabled so that they can seamlessly access Microsoft 365 without an additional login step.
Microsoft Seamless SSO for Windows 7 and 8.1
Seamless SSO was developed by Microsoft to more tightly integrate computers running Windows 7 and 8.1 with Microsoft 365. When you set up Entra Connect and synchronize your users to Microsoft 365, you need to use Password Hash Sync or Pass-through Authentication.
- Password Hash Sync keeps a copy of the user’s password hash locally and in the cloud. It’s a simple and highly available option.
- Pass-through Authentication only stores the hash locally, so the user’s password is authenticated against your on-premise Active Directory. This is more secure but can be more complex to maintain.
Once that’s set up, it’s just a few quick steps to enable seamless SSO, which we outline in the next section.
Activate Single Sign-On for Microsoft 365
Log on to your Entra Connect sync server and open Entra Connect. Click Change User Sign-in, then click Next. Continue clicking Next until you reach the “Enable single sign-on” page. From there, you’ll need to provide domain admin credentials for your local AD domain in order to enable SSO (don’t worry — the credentials aren’t stored, they’re only used for the setup process).
After you’ve done that, go ahead and log in to the Entra admin center. Go to Identity > Overview > Entra Connect, or type “Entra Connect” into the search box. Under “User sign-on”, you should see “Seamless single sign-on” listed as Enabled.
Adjust Local Intranet Zone for Entra SSL URL
Next up, you’ll need to adjust your domain’s Group Policy to add the Entra SSO URL to the Local Intranet zone. This tells Internet Explorer, Edge, and Chrome that it’s OK to pass the user’s Kerberos ticket to Microsoft 365, since by default this is only allowed for websites that are internal to your network.
First, open Group Policy Management Editor as a user that has rights to edit your domain GPO. Then, create a new Group Policy that applies to the group of users who you would like to enable for SSO.
Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page, and then select Site to Zone Assignment List.
In the dialog box, enter the following:
- Value Name: https://autologon.microsoftazuread-sso.com
- Value (Data): 1
1 is the value that corresponds to the Intranet Zone in IE settings. Click OK twice, then browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone.
There, locate the setting Allow updates to status bar via script and enable it. Click OK a few times, then close out of Group Policy Management.
Test out Microsoft 365 single sign-on
Log out and back in, or do a GPUpdate to refresh group policy. Then, open up Internet Explorer or Edge, and browse to https://myapps.microsoft.com/yourdomain.com, where yourdomain.com is your Microsoft 365 domain. At that point, you should be seamlessly signed in, and presented with a list of Microsoft 365 apps available to you.
If your users browse to https://myapps.microsoft.com/ with no domain, they’ll need to enter their username in the form username@yourdomain.com. This will redirect them to your domain sign-in page, at which point SSO will take over to log them in. And of course if they’re on a computer outside your domain, they can log in using their domain username and password too.
E-N Computers is a leading provider of cloud-based workflow solutions to businesses in Virginia, Washington, D.C., and Maryland. Our customized solutions will get your business up and running on Microsoft 365 quickly and easily. Contact us today to find out how we can help you use Microsoft 365 to meet the needs of your business.
Need Help Right Now with Microsoft 365 or Azure?
Book a free, no-obligation 15-minute cloud consultation session with our Director of Technology Thomas Kinsinger. He’s helped dozens of our clients leverage cloud technology to improve their business – and he’s ready to help you too. In-depth technical support is also available starting at just $125 per hour.
Click below to book your free 15-minute session now:
