Fix: Seamless SSO not working for Staged Rollout users

If you’re planning on making the switch from federated to cloud authentication, you have probably heard of Staged Rollout; a new feature from Microsoft that allows you to pilot the migrated experience without migrating your entire domain. While the feature works as advertised, Microsoft’s setup instruction are missing a key step to get Seamless Single Sign-on (SSO) up and running.

After following Microsoft’s documentation, you will find that while users are moved to cloud authentication, Seamless SSO will not function. This is due to a missing command which is traditionally automatically ran during the configuration of Azure AD Connect, not requiring manual user intervention. Since you won’t be making any changes to the sign-in method within Azure AD Connect when configuring Staged Rollout, the command does not run.

The below instructions will guide you through completing the setup.

  1. Follow the previously linked Microsoft setup instructions from steps 1 through to 7. Steps 5 to 7 are not required if you completed these during your initial configuration.
  2. Run command Enable-AzureADSSO -Enable $true to enable SSO on your tenant. Note that this will not impact federated users.
  3. Continue following Microsoft’s setup instructions unless subsequent steps were completed during your initial configuration.

Leave a comment