Introduced in 2013, Password Hash Sync for Azure AD and Office 365 makes it easy to connect your local Active Directory environment to Office 365 and not only synchronize accounts, but also let users sign-in using their Active Directory password.
This is not without its limitations though. When users sign-in to Office 365, they will still be prompted for their password even if they have already signed in to their computer. This will be the case when signing in for the first time in Office, Skype for Business, Outlook and when logging in through the web browser.
To avoid re-typing passwords and provide single-sign on (SSO) the typical solution has been to use Active Directory Federation Services (AD FS), which traditionally helped with web browser SSO, Office sign-in but did not altogether solve login prompts in Outlook or Skype for Business.
These days there are a number of solutions to the problem of single sign-in. Combined with Modern Authentication and up to date Office clients it’s relatively easy to provide full single sign on without using AD FS.
Modern Authentication is crucial to enabling this experience because it uses a web-browser based sign-in experience within the Office applications that allows for Windows Integrated Authentication to work.
If you are running Windows 10 clients, then you can configure Azure AD join via Group Policy, in combination with re-configuring your Azure AD Connect implementation to register devices in Azure AD. This will automatically sign in clients to Office 365 when they log onto the PC.
But if you aren’t running Windows 10 on all your devices, as many organizations don’t, then you need to use Azure AD Seamless Sign-On to allow your Windows 7 or higher clients to perform SSO to Office 365 using Office 2013 or higher, Internet Explorer, Google Chrome or Firefox.
Seamless Sign On works by registering a special computer account in your Active Directory that is used as a proxy to allow Windows Integrated Authentication to work against specific URLs in Azure AD and sign a user in the same way they can on an Intranet site.
In this article, we’ll configure Azure AD Connect to perform Seamless Sign-On, configure our Office 365 tenant to support Modern Authentication, and examine the client experience.