How to Remove Stale Seamless SSO Forest

Question

How to Remove Stale Seamless SSO Forest

Andrew Steidl 0

We are experiencing an issue with Seamless Single Sign-On (SSO) in our Entra Connect environment. The Microsoft Entra Connect wizard reports:

Cannot retrieve single sign-on status

Environment Details

Entra Connect Version: 2.6.1
Windows Server version: Server 2019 Std

Actions Already Taken

Attempted to disable SSO using AzureADSSO module:

Disable-AzureADSSOForest -DomainFqdn xxxxxxxx.com

Result: Failed with error One or more errors occurred.

We suspect the root cause of this is that the AZUREADSSOACC computer account was moved out of its default location and the kerberos trust is now stale/broken.

The end goal is to get SSO functional again.

1 answer

Your answer

Answer 1

To remove a stale Seamless SSO forest and resolve issues with the AZUREADSSOACC computer account, follow these steps:

Check the Status of Seamless SSO: Ensure that the Seamless SSO feature is still enabled on your tenant. You can verify this by going to the Entra ID > Entra Connect > Connect Sync pane in the Microsoft Entra admin center.
Disable Seamless SSO: If you have not already done so, you may need to disable Seamless SSO using PowerShell. Run the following commands on the on-premises server where you're running Microsoft Entra Connect:
- Import the Seamless SSO PowerShell module:
```
     Import-Module .\AzureADSSO.psd1
```
- Run PowerShell as an Administrator and call:
```
     New-AzureADSSOAuthenticationContext
```
- Enter your tenant's Hybrid Identity Administrator credentials when prompted.
- Disable SSO:
```
     Disable-AzureADSSOForest -DomainFqdn <YourDomainFqdn>
```
Check for Errors: If you encounter errors while disabling the forest, ensure that the domain administrator account used is not a member of the Protected Users group, as this can cause the operation to fail.
Manual Cleanup: If the AZUREADSSOACC computer account was moved, you may need to manually delete it from the Active Directory forest. Use the following command to check the status of the forests:
```
   Get-AzureADSSOStatus
```
This will provide you with a list of Active Directory forests where Seamless SSO is enabled.
Re-enable Seamless SSO: After cleaning up the stale forest, you can re-enable Seamless SSO if needed using the appropriate PowerShell commands or through the Microsoft Entra Connect wizard.

By following these steps, you should be able to resolve the stale SSO forest issue and restore functionality.

References:

Andrew Steidl 0 Reputation points

2026-02-19T16:41:36.21+00:00

PS C:\Windows\system32> Disable-AzureADSSOForest -DomainFqdn xxxxxxxxxxx.com

[11:38:12.169] [ 10] [INFORMATIONAL] Disabling SSO 'xxxxxxxxxxx.com' in the cloud policy...

Disable-AzureADSSOForest : One or more errors occurred.

At line:1 char:1

Disable-AzureADSSOForest -DomainFqdn xxxxxxxxxxx.com

+ CategoryInfo : NotSpecified: (:) [Disable-AzureADSSOForest], AggregateException + FullyQualifiedErrorId : System.AggregateException,Microsoft.KerberosAuth.Powershell.PowershellCommands.DisableAz ureADSSOCommand

The Domain Admin account being used to run this command is NOT in the protected users group.

PS C:\Windows\system32> Get-AzureADSSOStatus

Get-AzureADSSOStatus : One or more errors occurred.

At line:1 char:1

Get-AzureADSSOStatus

+ CategoryInfo : NotSpecified: (:) [Get-AzureADSSOStatus], AggregateException + FullyQualifiedErrorId : System.AggregateException,Microsoft.KerberosAuth.Powershell.PowershellCommands.GetAzureA DSSOStatusCommand

Share via

How to Remove Stale Seamless SSO Forest

1 answer

Your answer