Seamless SSO and AD FS Migration

Seamless SSO and AD FS Migration: A Comprehensive Guide for SC-300

Why Is Seamless SSO and AD FS Migration Important?

Many organizations historically relied on Active Directory Federation Services (AD FS) to provide single sign-on (SSO) capabilities for their users accessing cloud services like Microsoft 365 and Azure. While AD FS served this purpose well, it introduces significant infrastructure overhead, requires dedicated servers, demands ongoing maintenance, and presents a potential single point of failure. Migrating away from AD FS to simpler, cloud-managed authentication methods — such as Password Hash Synchronization (PHS) or Pass-Through Authentication (PTA) combined with Seamless SSO — reduces complexity, improves security posture, lowers costs, and shifts the authentication responsibility to Microsoft Entra ID (formerly Azure AD).

For the SC-300 exam, understanding this migration path is critical because Microsoft emphasizes modern identity management, and knowing how to transition from federated authentication to managed authentication is a core competency expected of an Identity and Access Administrator.

What Is Seamless SSO?

Microsoft Entra Seamless Single Sign-On (Seamless SSO) automatically signs users in when they are on their corporate devices connected to the corporate network. When enabled, users don't need to type in their passwords to sign in to Microsoft Entra ID, and usually don't even need to type in their usernames. This feature provides easy access to cloud-based applications without needing any additional on-premises infrastructure beyond what Azure AD Connect provides.

Key characteristics of Seamless SSO include:

- It works with Password Hash Synchronization (PHS) or Pass-Through Authentication (PTA) as the sign-in method.
- It uses Kerberos authentication behind the scenes to silently authenticate domain-joined users.
- It creates a computer account named AZUREADSSOACC in on-premises Active Directory, and its Kerberos decryption key is shared securely with Microsoft Entra ID.
- It is not applicable to Active Directory Federation Services (AD FS) — it is specifically an alternative to AD FS for providing an SSO experience.
- It works on domain-joined devices (Windows 7, 8.1, 10, 11) using browsers like Edge, Chrome (with the Windows 10 Accounts extension), and Firefox.

What Is AD FS?

Active Directory Federation Services (AD FS) is a federated identity solution that provides on-premises authentication for users accessing cloud services. With AD FS, authentication requests to Microsoft Entra ID are redirected to an on-premises AD FS farm, where the user is authenticated locally. AD FS issues a security token that is then presented to Microsoft Entra ID.

While AD FS provides powerful capabilities such as certificate-based authentication and third-party MFA integration, it comes with drawbacks:

- Infrastructure complexity: Requires dedicated AD FS servers, Web Application Proxy (WAP) servers, load balancers, and SSL certificates.
- High availability requirements: Must be designed with redundancy to avoid becoming a single point of failure.
- Maintenance overhead: Ongoing patching, certificate renewals, and monitoring.
- Security risk: An on-premises compromise can impact cloud authentication.

Why Migrate from AD FS to Seamless SSO (Managed Authentication)?

Microsoft recommends migrating from AD FS to managed authentication for several compelling reasons:

- Simplified architecture: Eliminates the need for AD FS server infrastructure.
- Improved reliability: Microsoft Entra ID handles authentication with built-in high availability and global redundancy.
- Better security: Features like Smart Lockout, IP lockout, and password protection are natively available with managed authentication.
- Conditional Access: Full compatibility with Microsoft Entra Conditional Access policies.
- Modern MFA: Native integration with Microsoft Entra MFA without third-party solutions.
- Reduced costs: No need to maintain on-premises federation infrastructure.

How Does the Migration Work?

The migration from AD FS to managed authentication with Seamless SSO follows a structured process:

Step 1: Preparation and Planning
- Inventory all applications and relying party trusts currently configured in AD FS.
- Use the AD FS application activity report in Microsoft Entra ID to identify which applications can be migrated and which may need additional configuration.
- Identify any claims rules, custom authentication rules, or access control policies that need to be replicated in Microsoft Entra ID.
- Ensure Azure AD Connect is deployed and properly synchronizing identities.

Step 2: Choose the Managed Authentication Method
- Password Hash Synchronization (PHS): Recommended by Microsoft as the simplest and most resilient option. A hash of the user's password hash is synchronized to Microsoft Entra ID. Authentication happens entirely in the cloud.
- Pass-Through Authentication (PTA): Authentication requests are forwarded to on-premises agents that validate credentials against Active Directory. Passwords never leave the on-premises environment.

Step 3: Enable Seamless SSO
- Seamless SSO is enabled through Azure AD Connect configuration.
- The AZUREADSSOACC computer account is created in Active Directory.
- Group Policy or Intune is used to add Microsoft Entra ID URLs to the users' Intranet zone settings (for browser-based Kerberos authentication).
- URLs to add to Intranet zone: https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net

Step 4: Staged Rollout (Recommended)
- Microsoft provides a staged rollout feature that allows you to test managed authentication with specific groups of users while the domain remains federated.
- This allows validation without impacting all users at once.
- Users in the staged rollout group authenticate using PHS or PTA instead of AD FS.

Step 5: Convert Domains from Federated to Managed
- Use the Convert-MsolDomainToManaged PowerShell cmdlet (legacy) or Azure AD Connect to convert the domain from federated to managed.
- Alternatively, use Microsoft Graph PowerShell or the Microsoft Entra admin center.
- After conversion, all authentication for the domain is handled by Microsoft Entra ID using the chosen method (PHS or PTA) with Seamless SSO.

Step 6: Migrate Applications
- Move relying party trusts from AD FS to Microsoft Entra ID by registering applications as enterprise applications.
- Configure SAML-based SSO, OAuth/OIDC, or other protocols as needed in Microsoft Entra ID.
- Test each application thoroughly after migration.

Step 7: Decommission AD FS
- After all users and applications have been migrated and validated, decommission the AD FS infrastructure.
- Remove DNS records, decommission servers, and clean up any related configurations.

How Seamless SSO Works Technically

1. A user on a domain-joined device tries to access a cloud resource (e.g., Microsoft 365).
2. The user is redirected to the Microsoft Entra ID sign-in page.
3. Microsoft Entra ID challenges the browser with a Kerberos ticket request (via a 401 response targeting the AZUREADSSOACC account).
4. The user's device obtains a Kerberos service ticket from the on-premises domain controller for the AZUREADSSOACC computer account.
5. The Kerberos ticket is sent to Microsoft Entra ID.
6. Microsoft Entra ID decrypts the ticket using the shared Kerberos decryption key and validates the user's identity.
7. The user is silently signed in without entering credentials.

Important Security Consideration: The Kerberos decryption key for the AZUREADSSOACC account should be rolled over (rotated) at least every 30 days to maintain security. This is a frequently tested point on the exam.

Key Differences: AD FS vs. Seamless SSO with Managed Auth

- AD FS: Federated authentication; on-premises infrastructure required; authentication happens on-premises; complex to maintain.
- PHS + Seamless SSO: Cloud authentication; minimal on-premises footprint; most resilient; Microsoft-recommended approach.
- PTA + Seamless SSO: Hybrid authentication; requires on-premises agents; passwords validated on-premises; suitable when organizational policy prohibits password hashes in the cloud.

Exam Tips: Answering Questions on Seamless SSO and AD FS Migration

Tip 1: Know the authentication methods and when to use each.
PHS is Microsoft's recommended default. PTA is used when passwords must not leave on-premises. AD FS is used only when advanced scenarios require it (e.g., smart card authentication, third-party MFA that cannot be replaced). If a question asks for the simplest or most resilient method, choose PHS + Seamless SSO.

Tip 2: Understand staged rollout.
Staged rollout allows testing managed authentication for specific groups while the domain remains federated. Questions may describe a scenario where an admin wants to test PHS for a pilot group before full migration — the answer is staged rollout.

Tip 3: Remember the AZUREADSSOACC computer account.
This is the key artifact that Seamless SSO creates in on-premises AD. Exam questions may reference this account, especially regarding Kerberos key rotation. Remember: rotate at least every 30 days.

Tip 4: Know the prerequisites for Seamless SSO.
Seamless SSO requires Azure AD Connect, domain-joined devices, and Intranet zone configuration for the required URLs. It does not work with AD FS (it replaces the need for AD FS).

Tip 5: Understand the AD FS application activity report.
This report in the Microsoft Entra admin center identifies AD FS relying party trusts and evaluates their readiness for migration to Microsoft Entra ID. If a question asks how to assess migration readiness, this is the answer.

Tip 6: Know the conversion commands.
Converting a domain from federated to managed can be done via Azure AD Connect or PowerShell. The legacy command is Convert-MsolDomainToManaged. Be aware that after conversion, all users in that domain authenticate via the managed method.

Tip 7: Seamless SSO does not work for all scenarios.
It does not work on macOS or mobile devices. It works best on Windows domain-joined devices on the corporate network. For devices not on the corporate network, other SSO mechanisms (like Primary Refresh Token or device registration) apply.

Tip 8: Watch for AD FS decommissioning order.
Always migrate all applications and users first, validate everything, and then decommission AD FS. Never decommission AD FS while relying party trusts are still active. Questions testing migration order will expect this logical sequence.

Tip 9: PHS provides a fallback mechanism.
Even when using PTA as the primary authentication method, Microsoft recommends enabling PHS as a backup. If PTA agents become unavailable, PHS can serve as a disaster recovery authentication method. This is a common exam scenario.

Tip 10: Conditional Access and MFA integration.
One major advantage of managed authentication over AD FS is tighter integration with Microsoft Entra Conditional Access and built-in MFA. Questions contrasting AD FS custom claims rules with Conditional Access policies will favor the managed authentication approach as the modern, recommended solution.

Summary

Migrating from AD FS to managed authentication (PHS or PTA) with Seamless SSO is a critical modernization step that simplifies identity infrastructure, enhances security, and improves user experience. For the SC-300 exam, focus on understanding the migration process, the technical workings of Seamless SSO, the differences between authentication methods, and the tools Microsoft provides (staged rollout, application activity reports, Azure AD Connect) to facilitate a smooth transition. Always remember that Microsoft's recommended approach is PHS + Seamless SSO for maximum simplicity and resilience.