Hi,
We have corp.local on prem domain and external.org for our emails. Before we flip from Exchange on prem to O365 we would like to get all SSO issues resolved.
We currently have two problems.
When users open Edge or Chrome browsers on their office (corp.local domain joined) workstations and navigate to portal.azure.com, they are prompted for user name and MFA which we would like to avoid and make it seamless.
We added external.org to our azure tenant and verified it via a DNS txt record.
On prem we added external.org as an alternative UPN suffix and updated all user UPNs using powershell scripts (https://www.alitajran.com/change-users-upn-with-powershell/)
Azure ad connect has been set up and Password Hash Sync / SSO options enabled.
All onprem user accounts have been synced to Azure, MFA was enabled on all user accounts and enforced.
To get SSO working in edge we added https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net under Site to Zone Assignment List (Ref: https://www.alitajran.com/azure-active-directory-single-sign-on/#:~:text=Sign%20in%20on%20a%20domain-joined%20computer%20and%20start,username%20or%20password%3B%20it%20will%20automatically%20sign%20in.)
To get SSO working in chrome we Enabled "Allow automatic sign-in to Microsoft® cloud identity providers" under chrome GPOs
After verifying that GPOs have been applied to logged on users we started testing and discovered that SSO does not work. Users are prompted to enter their emails and MFA but not the passwords in either of the browsers.
To bypass MFA at the office we added our public IP as an exclusion for MFA in Azure portal.
(Skip multifactor authentication for requests from following range of IP address subnets: has our Public IP in the following format xxx.xx.x.xx)
Per-user multifactor authentication-> Service Settings
Does anyone know what's missing and why users are prompted for login IDs and MFAs?
Thank you so much