You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network. Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on
(SSO) to access Azure resources.
What should you do first?
Click on the arrows to vote for the correct answer
A. B. C. D.B
Azure AD Connect lists the UPN suffixes that are defined for the domains and tries to match them with a custom domain in Azure AD. Then it helps you with the appropriate action that needs to be taken. The Azure AD sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and displays the corresponding status against each suffix. The status values can be one of the following:
-> State: Verified
Azure AD Connect found a matching verified domain in Azure AD. All users for this domain can sign in by using their on-premises credentials.
-> State: Not verified
Azure AD Connect found a matching custom domain in Azure AD, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default
.onmicrosoft.com suffix after synchronization if the domain isn't verified.
-> Action Required: Verify the custom domain in Azure AD.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-user-signinThe issue is that the user's UPN in Azure AD does not match the on-premises Active Directory UPN. This mismatch is causing the users to be prompted multiple times to sign in and use an account name that ends with onmicrosoft.com.
To ensure that the users can use single-sign-on (SSO) to access Azure resources, the first step is to correct the UPN mismatch. This can be done by updating the on-premises Active Directory UPN to match the Azure AD UPN, or by updating the Azure AD UPN to match the on-premises Active Directory UPN. Once the UPN match has been corrected, Azure AD Seamless SSO will work as expected.
However, the question asks what should be done first, and the answer is B. From Azure AD, add and verify a custom domain name. This is because, before you can update the UPN in Azure AD, you must first add and verify a custom domain name that matches the on-premises Active Directory domain name. This will allow Azure AD to recognize the on-premises domain as a trusted domain.
Once the custom domain name has been added and verified, the UPN in Azure AD can be updated to match the on-premises Active Directory UPN. This can be done by configuring the Azure AD Connect tool to synchronize the UPN from the on-premises Active Directory to Azure AD.
Option A, deploying Active Directory Federation Services (AD FS), is not necessary for Azure AD Seamless SSO. AD FS is an alternative solution for SSO, but Azure AD Seamless SSO is a simpler and more modern solution that does not require the additional infrastructure of AD FS.
Option C, requesting a new certificate that contains the Active Directory domain name, is not necessary for correcting the UPN mismatch or enabling Azure AD Seamless SSO.
Option D, modifying the filtering options from the server that runs Azure AD Connect, is also not necessary for correcting the UPN mismatch or enabling Azure AD Seamless SSO. The filtering options in Azure AD Connect are used to select which objects in the on-premises Active Directory to synchronize to Azure AD, and do not affect the UPN matching or Azure AD Seamless SSO.