You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network.
Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory.
You need to ensure that the users can use single-sign on (SSO) to access Azure resources.
What should you do first?
Click on the arrows to vote for the correct answer
A. B. C. D.B
The UPN is used by Azure AD to allow users to sign-in. The UPN that a user can use, depends on whether or not the domain has been verified. If the domain has been verified, then a user with that suffix will be allowed to sign-in to Azure AD.
To do so, you need to add and verify a custom domain in Azure AD before you can start syncing the users.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#azure-ad-sign-in https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-objectsync#detect-upn-mismatch-if-object-is-synced-to-azure-active-directoryThe issue reported by users suggests that Azure AD Seamless SSO is not functioning correctly, and they are experiencing multiple sign-in prompts when accessing myapps.microsoft.com. The prompt to use an account that ends with onmicrosoft.com indicates that Azure AD is not recognizing the users' on-premises UPN, which indicates a UPN mismatch between Azure AD and the on-premises Active Directory.
To resolve the issue and ensure that users can use single-sign on (SSO) to access Azure resources, the first step is to correct the UPN mismatch between Azure AD and the on-premises Active Directory.
Option A: Deploying Active Directory Federation Services (AD FS) from the on-premises network will not directly address the UPN mismatch between Azure AD and the on-premises Active Directory. AD FS is an alternative to Azure AD Seamless SSO that requires additional infrastructure and management overhead.
Option B: Adding and verifying a custom domain name from Azure AD is a good practice but will not directly address the UPN mismatch issue. A custom domain can help to provide a better user experience, but it is not required for Azure AD Seamless SSO to function correctly.
Option C: Requesting a new certificate that contains the Active Directory domain name will not directly address the UPN mismatch between Azure AD and the on-premises Active Directory. While it is important to have a valid certificate for Azure AD Seamless SSO, this step alone will not resolve the issue.
Option D: Modifying the filtering options from the server that runs Azure AD Connect will not directly address the UPN mismatch between Azure AD and the on-premises Active Directory. Filtering options are used to specify which objects are synchronized from the on-premises Active Directory to Azure AD and will not resolve the UPN mismatch.
Therefore, the correct answer is to address the UPN mismatch between Azure AD and the on-premises Active Directory first. This can be done by modifying the on-premises Active Directory UPN to match the domain that is verified in Azure AD. Once the UPN is corrected, Azure AD Seamless SSO should function correctly, and users will be able to access Azure resources using SSO.