With Azure AD SSO, you don’t have to type in your passwords to sign in to Azure AD, and most of the time, you don’t even need to type the username. You log into a domain-joined computer with your own credential and that’s all you need to get all apps ready, including Edge, Office apps, and Teams.

Open Azure AD Connect, click Configure, then Change user sign-in option, and go Next.

Sign in with your Office 365 Global Admin credential, and then check Enable single sign-on option.

You will need to type a Domain Admin credential as well to finish the process.

Once the sync is finished, you can check the Azure AD to make sure if the single sign-on is enabled.

Next step is to add the following URL in the Intranet Zone via Group Policy.

https://autologon.microsoftazuread-sso.com

The policy is called Site to Zone Assignment list under

User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

While we are here, let’s also enable Allow updates to status bar via script under Intranet Zone

Finally, if you are using the new Edge browser, add the same Azure AD’s URL to the Specifies a list of servers that Microsoft Edge can delegate user credentials to the following place.

User Configuration > Administrative Templates > Microsoft Edge > HTTP authentication

That’s about as simple as I can put out. If all goes well, it does work like a charm.

Resources

Azure AD Connect: Seamless Single Sign-On – How it works | Microsoft Docs

Azure AD Connect: Seamless Single Sign-On – quickstart | Microsoft Docs

So how can I do that? Turns out, it’s pretty easy and straightforward.

Open Active Directory Users and Computers on your computer, make sure Advanced Features is checked under View tab.

Find the account, double-click it, and go to the Attribute Editor tab. Scroll down until you find one attribute called msExchHideFromAddressLists. Double-click it and set the value as True.

And then wait until the next sync cycle finishes before seeing the group or user disappearing from the list.

Assume you already have your on-premises Active Directory cleaned up and prepared for Azure AD Connect, here are the steps that would make it happen.

First off, keep the accounts that you want to convert off the OU that will be synced up with Azure AD Connect. If you already have accounts duplicated in Microsoft 365, permanently delete these accounts first before moving forward.

Then, update the Cloud account’s UPN to match the one on on-premises AD.

Once done, run the following PowerShell cmdlets to match on-premises AD’s GUID with Cloud account’s Immutable ID. Making both IDs match tells Azure AD that the account is linked with on-premises Active Directory.

Connect-MsolService
$upn = "name@domain.com"
$id = [system.convert]::ToBase64String((Get-ADUser -filter {userprincipalname -eq $UPN}).objectGUid.ToByteArray())
Set-MsolUser -UserPrincipalName $upn -ImmutableId $id

Thanks to here for the ImuutableID trick.

If you encounter any cmdlet not found error, install and import the MSOnline module first from an elevated PowerShell window.

Install-Module MsOnline

Finally, move these accounts back to the syncing OU and sync them all to Microsoft 365.

The process of setting it up isn’t hard but it’s not easy and straightforward either. Here is a quick guide on how to make it happen.

Local AD Preparation

If your local domain has the same name as the one verified in Microsoft 365, preparation is easy. All you need to do is to make sure the UPN (UserPrincipalName) attribute matches the one you are planning to use in Microsoft 365.

However, if your local AD domain is a non-routable domain such as .local, you will need to add a second UPN suffix and update your users to it. The synced accounts with .local UPN will be automatically assigned the default onmicrosoft.com domain.

To Add a new UPN suffix

First, open Active Directory Domains and Trusts. Right-click Active Directory Domains and Trusts and choose Properties.

And add a new UPN suffix in the Properties window that pops up.

To update UPN suffix for existing users

You can update it in the Account tab in each user account’s properties window. But a much better way is to use PowerShell.

$adusers = Get-ADUser - Filter * -SearchBase "OU=OU Name, DC=domain, DC=local" | Sort-Object Name
$adusers | ForEach {$_ | Set-ADUser -UserPrincipalName ($_.SamAccountName + '@domain.com')}

The IdFix tool

There are other attributes in your AD that might need to be cleaned up, such as proxyAddresses, SAMAccountName, etc. The best way is to use a tool like IdFix to identify and remediate the majority of directory synchronization errors.

You can download the tool in your Micrsoft 365 Directory Sync Status page and run it directly on your domain-joined Windows 10 computer.

An Account for Azure AD Sync

The Azure AD Connect tool will help set it up during the setup wizard but it’s easier to have it ready before you run the configuration wizard.

Create a regular domain account with a password that matches the AD’s password complicity policy. And you will have to grant the user the following two permissions. Or the password hash sync will fail.

• Replicating Directory Changes
• Replicating Directory Changes All

To do so,

1. Open Active Directory Users and Computers
2. Go to View and select Advanced Features.
3. Right-click the main domain name and choose Properties.
4. In Security tab, add the account you want to use to directory sync and Allow the above two permissions.

Azure AD Connect

Now, let’s download the Azure AD Connect, install it on the Active Directory server, and run the configuration wizard. Follow up the wizard and it should be up and running shortly.

A few notes though that I hope would help.

You can sync the entire directory or the OUs of your choice.

There two ways you can stage your AD sync process. You can either enable the Stage mode in Azure AD Connect, or filter users via a specified group.

Note that if you use the Group filter option with the selected OUs, make sure the group resides inside that OU. Or, no accounts will be sync’d up.

To force a sync to start out of the scheduled window, run the following PowerShell cmdlet.

Start-ADSyncSyncCycle -PolicyType Delta

To initiate a complete sync,

Start-ADSyncSyncCycle -PolicyType Initial

If you are seeing an error telling you that the cmdlet is not recognized, run this.

Import-module ADSync

Resources

• Microsoft 365 integration with on-premises environments
• Set up directory synchronization for Microsoft 365
• Prepare for directory synchronization to Microsoft 365
• Prepare a non-routable domain for directory synchronization
• Azure AD Connect Sync: understand and customize synchronization