Dec 2017

AAD Connect with pass-through authentication and (really) seamless single sign on

– aka “Users don’t want to click their username to access resources”

You’re reading this because you’ve either already discovered the headache below and you’re looking for a work around, or your about to discover the headache below and are just really ahead of the curve at anticipating challenges; good for you!

Let’s start at the beginning, installing and configure Azure AD Connect  (AAD Connect) with Passthrough Authentication and Seamless Single Sign on (SSO) is detailed really well in this article.

To summarise:

  1. Check the pre-requisites
  2. Install AAD Connect on two servers if you’d like some redundancy

NB: Configure one server to be in Staging Mode

  1. Run the wizard again and enable Passthrough Authentication and SSO
  2. Configure your proxy, firewall, Kerberos key rollover and group policy trusted sites
  3. Triumphantly show everyone your handiwork and have them complain that they still have to click their username to access resources.
  4. Sad donuts

All is not lost, we had this happen and there are two ways to give your users a better experience; Smart Links and Azure Active Directory Joined Devices.

Smart links:

In our case, users wanted to open SharePoint Online links and have the resource open with no credential prompts like they would have when SharePoint was on premises. If your users are on the WAN (either directly or via Direct Access) this can work really well and is easy to implement.

In this Microsoft Video about SSO, they’re making use of Smart Links to avoid credential prompts (well spotted Craig)

Once you have AAD Connect and Passthrough Auth with SSO configured:

  • Open the test Smart Link URL
  • Confirm that the user is signed in automatically and no credential prompts are displayed

NB: You can test further by opening the same link in private browsing mode where you will be prompted for credentials

  • Once you’ve connected to an Office 365 resource using a smart link, you can open any of the Office 365 resources and sign in seamlessly until that browser session has been closed.
    For example, go to or Http://

If that works for you, the easiest way to make sure your users always have a seamless experience is to set one of their home page tabs to be a smart link URL.


Option 2, Azure Active Directory Joined Devices

You can also take advantage of Windows Azure Active Directory Joined Devices There’s a great post that will give you the background on AAD Joined Devices here.

While Windows Azure Active Directory Joined Devices is only natively available for Windows 10 Creator update, Windows 7 and above machines are supposed to be supported by installing workplace join. However, we haven’t had great success with this so far.

If you have Azure Active Directory Joined Devices configured, Seamless Single Sign on is a breeze. If for some reason a user’s machine hasn’t joined automatically, follow these steps:

  • On the workstation open Settings > Accounts> Add Work or School Account
  • Remove any accounts that are there
  • Add your work account


If you’d like me to write a more detailed post on configuring AAD Connect Passthrough Auth and SSO let us know

Simone and Jian.

2 Responses to “AAD Connect with pass-through authentication and (really) seamless single sign on”

  1. Simon Jackson

    I did everything up until your Sad Donuts comment. :
    Unfortunately, users still have to activate MS Office 365 (desktop products) using their maually typed email address. Trusted Sites and Intranet sites are added, especially the SSO URLs.


    • Jian An Lim

      Hi Simon,

      This Seamless SSO feature is now live in production. For this feature to work, you need Office client versions 16.0.8730.xxxx and above. No GPO for automatic activation needs to be set for this feature to work.


Leave a Reply