Once your users are synchronized to Office 365, they’ll be able to log in with the same username and password that they use at work. But, to make things even easier for your users, you can enable Seamless Single Sign-On (SSO). Seamless SSO automatically signs users into Office 365 using their on-prem Active Directory credentials, meaning that they won’t be repeatedly asked for their password by Office 365 once they’ve signed in to their work computer.
To enable SSO, you’ll need to have set up Azure AD Connect and synchronized your users to Office 365, either using Password Hash Sync or Pass Through-Authentication. Once that’s set up, though, it’s just a few quick steps to enable SSO and make life easy for your users.
Activate Single Sign-On for Office 365
Log on to your AD Connect sync server and open Azure AD Connect. Click Change User Sign-in, then click Next. Continue clicking Next until you reach the “Enable single sign-on” page. From there, you’ll need to provide domain admin credentials for your local AD domain in order to enable SSO (don’t worry — the credentials aren’t stored, they’re only used for the setup process).
After you’ve done that, go ahead and log in to the Azure AD Administrative Center. Select Azure Active Directory, then Azure AD Connect. Under “User sign-on”, you should see “Seamless single sign-on” listed as Enabled.
Adjust Local Intranet Zone
Next up, you’ll need to adjust your domain’s Group Policy to add the Azure SSO URL to the Local Intranet zone. This tells Internet Explorer, Edge, and Chrome that it’s OK to pass the user’s Kerberos ticket to Office 365, since by default this is only allowed for websites that are internal to your network.
First, open Group Policy Management Editor as a user that has rights to edit your domain GPO. Then, create a new Group Policy that applies to the group of users who you would like to enable for SSO.
Browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page, and then select Site to Zone Assignment List.
In the dialog box, enter the following:
Value Name: https://autologon.microsoftazuread-sso.com
Value (Data): 1
1 is the value that corresponds to the Intranet Zone in IE settings. Click OK twice, then browse to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone.
There, locate the setting Allow updates to status bar via script and enable it. Click OK a few times, then close out of Group Policy Management.
Test It Out
Log out and back in, or do a GPUpdate to refresh group policy. Then, open up Internet Explorer or Edge, and browse to https://myapps.microsoft.com/yourdomain.com, where yourdomain.com is your Office 365 domain. At that point, you should be seamlessly signed in, and presented with a list of Office 365 apps available to you.
If your users browse to https://myapps.microsoft.com/ with no domain, they’ll need to enter their username in the form firstname.lastname@example.org. This will redirect them to your domain sign-in page, at which point SSO will take over to log them in. And of course if they’re on a computer outside your domain, they can log in using their domain username and password too.