Ready to learn?

Disable Entra Connect Seamless SSO

๐Ÿ”’ Secure Bits ๐Ÿ’ก
๐—ฌ๐—ผ๐˜‚ ๐—บ๐—ถ๐—ด๐—ต๐˜ ๐˜„๐—ฎ๐—ป๐˜ ๐˜๐—ผ ๐˜๐˜‚๐—ฟ๐—ป ๐—ผ๐—ณ๐—ณ ๐—˜๐—ป๐˜๐—ฟ๐—ฎ ๐—–๐—ผ๐—ป๐—ป๐—ฒ๐—ฐ๐˜ ๐—ฆ๐—ฒ๐—ฎ๐—บ๐—น๐—ฒ๐˜€๐˜€ ๐—ฆ๐—ฆ๐—ข. ๐—›๐—ฒ๐—ฟ๐—ฒ’๐˜€ ๐˜„๐—ต๐˜†.

In many hybrid Microsoft 365 tenants, Seamless SSO is still enabled โ€” even though itโ€™s no longer needed in modern Entra ID environments.

Nothing looks broken. Users sign in just fine.
And thatโ€™s exactly why this often goes unnoticed.

๐Ÿค” ๐—ช๐—ต๐˜† ๐—ฏ๐—ผ๐˜๐—ต๐—ฒ๐—ฟ?
Seamless SSO introduces an ๐—ฎ๐—ฑ๐—ฑ๐—ถ๐˜๐—ถ๐—ผ๐—ป๐—ฎ๐—น ๐—ฎ๐˜‚๐˜๐—ต๐—ฒ๐—ป๐˜๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—บ๐—ฒ๐—ฐ๐—ต๐—ฎ๐—ป๐—ถ๐˜€๐—บ that most environments donโ€™t actually need anymore.

Modern Windows 10/11 devices already rely on ๐—ฃ๐—ฟ๐—ถ๐—บ๐—ฎ๐—ฟ๐˜† ๐—ฅ๐—ฒ๐—ณ๐—ฟ๐—ฒ๐˜€๐—ต ๐—ง๐—ผ๐—ธ๐—ฒ๐—ป๐˜€ (๐—ฃ๐—ฅ๐—ง) for seamless access. Keeping Seamless SSO expands attack surface unnecessarily โ€” without delivering any value.

Seamless SSO relies on Kerberos-based authentication. It uses a special on-prem AD computer account: ๐—”๐—ญ๐—จ๐—ฅ๐—˜๐—”๐——๐—ฆ๐—ฆ๐—ข๐—”๐—–๐—–. That account holds a ๐˜€๐—ต๐—ฎ๐—ฟ๐—ฒ๐—ฑ ๐˜€๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜ between on-prem AD and Entra ID. If the secret gets compromised, it weakens your identity trust boundary.

๐Ÿ› ๏ธ ๐—˜๐˜ƒ๐—ฎ๐—น๐˜‚๐—ฎ๐˜๐—ฒ ๐—ถ๐—ณ ๐˜†๐—ผ๐˜‚ ๐˜€๐˜๐—ถ๐—น๐—น ๐—ป๐—ฒ๐—ฒ๐—ฑ ๐—ฆ๐—ฒ๐—ฎ๐—บ๐—น๐—ฒ๐˜€๐˜€ ๐—ฆ๐—ฆ๐—ข
– Do you have Hybrid Entra Join + Windows 10/11?
– Are you trying to use Modern authentication wherever you can?
– No legacy domain-joined-only scenarios?

If the answer to above questions is yes, Seamless SSO is likely not needed.

๐Ÿ›ก๏ธ ๐——๐—ถ๐˜€๐—ฎ๐—ฏ๐—น๐—ฒ ๐—ฆ๐—ฒ๐—ฎ๐—บ๐—น๐—ฒ๐˜€๐˜€ ๐—ฆ๐—ฆ๐—ข ๐—ถ๐—ป ๐—˜๐—ป๐˜๐—ฟ๐—ฎ ๐—–๐—ผ๐—ป๐—ป๐—ฒ๐—ฐ๐˜ ๐—ฆ๐˜†๐—ป๐—ฐ
– Edit Microsoft Entra Connect configuration in the ๐˜Š๐˜ฉ๐˜ข๐˜ฏ๐˜จ๐˜ฆ ๐˜ถ๐˜ด๐˜ฆ๐˜ณ ๐˜ด๐˜ช๐˜จ๐˜ฏ-๐˜ช๐˜ฏ section
– Uncheck ๐˜Œ๐˜ฏ๐˜ข๐˜ฃ๐˜ญ๐˜ฆ ๐˜ด๐˜ช๐˜ฏ๐˜จ๐˜ญ๐˜ฆ ๐˜ด๐˜ช๐˜จ๐˜ฏ-๐˜ฐ๐˜ฏ
– Monitor sign-in behavior
– Validate PRT-based authentication continues to work
– Delete the AZUREADSSOACC afterwards

โš ๏ธ ๐—œ๐—บ๐—ฝ๐—ผ๐—ฟ๐˜๐—ฎ๐—ป๐˜
– First, check whether Seamless SSO is active using ๐˜ˆ๐˜ถ๐˜ฅ๐˜ช๐˜ต ๐˜’๐˜ฆ๐˜ณ๐˜ฃ๐˜ฆ๐˜ณ๐˜ฐ๐˜ด ๐˜š๐˜ฆ๐˜ณ๐˜ท๐˜ช๐˜ค๐˜ฆ ๐˜›๐˜ช๐˜ค๐˜ฌ๐˜ฆ๐˜ต ๐˜–๐˜ฑ๐˜ฆ๐˜ณ๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ๐˜ด GPO and logs
– Communicate with users before changing auth flows

โœ… If youโ€™re aiming for Zero Trust and cloud-native identity, ๐˜€๐˜๐—ฎ๐—ฟ๐˜ ๐—ฟ๐—ฒ๐—บ๐—ผ๐˜ƒ๐—ถ๐—ป๐—ด ๐—ฎ๐˜‚๐˜๐—ต๐—ฒ๐—ป๐˜๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ฝ๐—ฎ๐˜๐—ต๐˜€ you no longer need. If a feature exists only โ€œbecause it always didโ€, itโ€™s time to question it.

๐Ÿ’ฌ Have you already disabled Seamless SSO or is it still running quietly in your environment?

๐˜ˆ๐˜ถ๐˜ต๐˜ฉ๐˜ฐ๐˜ณ ๐˜ฐ๐˜ง ๐˜ต๐˜ฉ๐˜ฆ ๐˜ฑ๐˜ฐ๐˜ด๐˜ต:
Martin Strnad

buy a course