Hunt domains with Seamless SSO enabled in Entra ID Connect
Hunt Domains With Seamless Sso Enabled
Query
// Get all device info we can find
let devices = (
DeviceInfo
// Search for 14 days
| where TimeGenerated > ago(14d)
// Normalize DeviceName
// --> if it is an IP Address we keep it
// --> If it is not an IP Address we only use the hostname for correlation
| extend DeviceName = iff(ipv4_is_private(DeviceName), DeviceName, tolower(split(DeviceName, ".")[0]))
// Only get interesting data
| distinct DeviceName, OSPlatform, OSVersion, DeviceId, OnboardingStatus, Model, JoinType
);
IdentityLogonEvents
// Get the last 30 days of logon events on Domain Controllers
| where TimeGenerated > ago(30d)
// Search for Seamless SSO events
| where Application == "Active Directory" and Protocol == "Kerberos"
| where TargetDeviceName == "AZUREADSSOACC"
// Save the domain name of the Domain Controller
| extend OnPremisesDomainName = strcat(split(DestinationDeviceName, ".")[-2], ".", split(DestinationDeviceName, ".")[-1])
// Normalize DeviceName
// --> if it is an IP Address we keep it
// --> If it is not an IP Address we only use the hostname for correlation
| extend DeviceName = iff(ipv4_is_private(DeviceName), DeviceName, tolower(split(DeviceName, ".")[0]))
// Only use interesting data and find more info regarding the source device
| distinct AccountUpn, OnPremisesDomainName, DeviceName
| join kind=leftouter devices on DeviceName
| project-away DeviceName1
// Check if Seamless SSO usage is expected
| extend ['Seamless SSO Expected'] = case(
// Cases where we do not expect Seamless SSO to be used
JoinType == "Hybrid Azure AD Join" or
JoinType == "AAD Joined" or
JoinType == "AAD Registered", "No",
// Cases where we do expect Seamless SSO to be used
JoinType == "Domain Joined" or
(OSPlatform startswith "Windows" and toreal(OSVersion) < 10.0) , "Yes",
// Cases that need to be verified
"Unknown (to verify)"
)About this query
Explanation
This KQL query is designed to identify domains where Seamless Single Sign-On (SSO) is enabled in Microsoft Entra ID Connect by analyzing logon events from Microsoft Defender for Identity. Seamless SSO can pose a security risk if not properly managed, so this query helps identify where it is being used and whether it is expected to be used based on device configurations.
Here's a simplified breakdown of what the query does:
-
Device Information Collection:
- It gathers information about devices from the
DeviceInfotable for the past 14 days. - It normalizes device names to ensure consistency, distinguishing between IP addresses and hostnames.
- It collects distinct data about each device, such as operating system, version, and join type.
- It gathers information about devices from the
-
Logon Event Analysis:
- It examines logon events from the
IdentityLogonEventstable over the last 30 days, specifically looking for events related to Seamless SSO. - It filters events to those using the "Kerberos" protocol and involving the "Active Directory" application.
- It extracts the domain name from the domain controller's device name.
- It examines logon events from the
-
Data Correlation:
- It correlates logon events with device information to enrich the data with additional device details.
- It determines whether Seamless SSO usage is expected based on the device's join type and operating system version:
- "No" if the device is joined to Azure AD or has a modern OS version.
- "Yes" if the device is domain-joined or has an older Windows version.
- "Unknown (to verify)" if the status is unclear.
The query helps administrators identify domains and devices where Seamless SSO is enabled and assess whether its usage is appropriate or if it should be disabled to enhance security. If no results are found or all results indicate "No" for expected usage, it is likely safe to disable Seamless SSO in Entra ID Connect.
Details

Robbe Van den Daele
Released: September 16, 2025
Tables
Keywords
Operators