I found an article that raises concerns about Seamless SSO being a potential security risk. I've been using Azure AD Connect with Seamless SSO enabled since around 2017. This setup allows users with domain-joined machines to access Microsoft 365 apps without having to log in every time. Currently, all my users have Entra ID joined computers leveraging Windows Hello for Business for seamless access to on-premises resources. While I still have some domain-joined machines that are production systems with perpetual-license Microsoft Office apps, I'm curious if anyone here has disabled Seamless SSO in a similar setup. If you have, what was the impact on your users or network?
5 Answers
I suggest checking out this resource to help you figure out if Seamless SSO is being utilized in your tenant: nathanmcnulty.com/blog/2025/08/finding-seamless-sso-usage/
I disabled Seamless SSO in my hybrid-joined environment a couple of years ago, and it didn’t cause any issues. A couple of things to double-check: make sure your devices are hybrid joined and that Entra Connect settings are correctly syncing your AD devices. I did have a problem with devices not getting a PRT due to some firewall rules affecting the Entra Connect server. Once those were sorted out, everything fell into place. I only realized it when I saw failed Windows sign-ins in my logs, so it's worth looking into if you notice any issues.
I just disabled Seamless SSO a few weeks back due to similar concerns. Since all devices are now Entra-joined, I didn’t find it necessary anymore and removed it without any impact as expected. Everything's running smoothly!
If your clients are Entra ID joined, they should be using a Primary Refresh Token (PRT), not Seamless SSO. If you have hybrid devices, the impact of disabling Seamless SSO should be minimal. The only issue might be with your production floor machines since they're not user-assigned and might still require authentication. Just keep an eye on those.
Can someone clarify why Seamless SSO is considered a security risk? It doesn't seem to bypass MFA or conditional access based on what I've seen.
It's about potential attack surfaces. Seamless SSO can add complexity to security, and while it's not inherently bad, it can expose vulnerabilities if not monitored properly. For more details, check this URL: echeloncyber.com/intelligence/entry/cyber-threat-alert-abusing-azureadssoacc-for-pivoting-from-on-premises-active-directory-to-azure. Plus, key rotation on the AD account is recommended regularly, though it's often neglected.