![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 85%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
25,080 questions
Hi @Andrew Thompson · Thank you for reaching out.
As you have a Hybrid environment, I would suggest you to perform Hybrid Azure AD Join for this purpose. Now depending on if your domain is Federated(using ADFS for instance) or Managed, the steps may vary. Below are the tutorials for each scenario:
- Tutorial: Configure hybrid Azure Active Directory join for managed domains
- Tutorial: Configure hybrid Azure Active Directory join for federated domains
Once the devices are Hybrid Azure AD joined and you sign into that Windows device using Azure AD User account (synced from On-premises), you will get a PRT (Primary Refresh Token). PRT will be used to facilitate Single Sign-on when you access a cloud app federated to your Azure AD tenant on the Hybrid Joined device. Once you perform MFA (If enabled), this information will also be stored in PRT and you won't be required to do MFA again on that device.
Another option that you may consider is Seamless SSO using AD Connect.
- What is Azure Active Directory Seamless Single Sign-On?
- Azure Active Directory Seamless Single Sign-On: Quickstart
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.