When it comes to enabling Single Sign-On (SSO) on Windows devices, understanding the differences between Primary Refresh Token (PRT) and Seamless SSO is crucial. Both approaches have their strengths and are tailored to specific scenarios. Here’s what IT Pros need to know.

Seamless SSO: the legacy option

Seamless SSO is designed for older operating systems such as Windows 7 and Windows 8.1. It provides an effortless sign-on experience for users in environments where devices are:

  • Domain-Joined: Seamless SSO requires devices to be connected to an Active Directory domain.

Limitations:

  • Seamless SSO is not used on Windows 10/11 devices that are Microsoft Entra Joined or Hybrid Joined.
Seamless SSO needs the user's device to be domain-joined, but it isn't used on Windows 10 [and 11] Microsoft Entra joined devices or Microsoft Entra hybrid joined devices.

source : https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso#sso-via-primary-refresh-token-vs-seamless-sso

When reading this, you might think, "This might be useless in my environment," and you might be right 😄.

  • Seamless SSO also requires the password of the AZUREADSSOACC account to be periodically renewed, adding an extra layer of management and a potential security risk. By moving away from Seamless SSO, you eliminate this concern and simplify security management.
  • Additionally, Seamless SSO necessitates managing specific registry keys for proper configuration like autologon.microsoftazuread-sso.com adding complexity to its implementation (https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-quick-start)

Primary Refresh Token (PRT): the go-to for modern windows systems

For Windows 10, Windows Server 2016, and later versions, SSO via Primary Refresh Token (PRT) is the recommended solution. PRT works seamlessly on devices registered with Microsoft Entra ID. This includes:

  • Microsoft Entra Hybrid Joined Devices: Domain-joined devices synced to Microsoft Entra ID.
  • Microsoft Entra Joined Devices: Devices directly registered with Microsoft Entra ID.
  • Personal Registered Devices: Configured through the "Add Work or School Account" feature.

Key Benefits of PRT-Based SSO:

  • Modern Authentication: PRT leverages token-based authentication, reducing reliance on legacy protocols.
  • Broad Compatibility: Works across hybrid and cloud-only environments.
  • Enhanced Security: Supports features like Conditional Access and Multifactor Authentication.

For detailed guidance, refer to Microsoft’s documentation: https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token.

How to Remove Seamless SSO

To completely remove Seamless SSO from your environment, follow these steps:

  1. Disable the Seamless SSO feature in Microsoft Entra Connect Sync (formerly known as Azure AD Connect).
  2. Remove the AZUREADSSOACC object from Active Directory.
  3. Delete the registry keys associated with Seamless SSO configuration.

These actions ensure a clean removal of the feature, reducing legacy dependencies and potential security risks. For any additional guidance or support, feel free to contact me.

Microsoft 365
Previous Post Pourquoi vous devriez arrêter d'utiliser Seamless SSO si vous avez Hybrid or Entra ID Join
Next Post Ou télécharger CMTrace ?

Comments

banner-Bastien Perez
Bastien Perez's avatar

Freelance Microsoft 365 - Active Directory - Modern Workplace

France