Microsoft Azure (AZ-104): Azure Active Directory

Why do you need to modify users’ Intranet zone settings?

For hybrid deployment, if Single Sign-On is working as expected but there are few machines are having problem with it. We should check if the Intranet Zone settings for the users have been modified.

The reason is, by default, Azure AD URLhttp://intranet.contoso.com/will be mapped to Internet zone (because the URL contains a period) and browsers will not send Kerberos tickets to a cloud endpoint unless we explicitly add the URL to browser’s Intranet zone.

So, the solution for enterprise is to add Azure AD URL to browser’s Intranet zone setting using GPO.

IMPORTANT!!!

• Only Global Administrator of Azure AD can get started with Azure Connect Health.
• If we want to enforce on-premise AD security and password policies, we need to configure Azure AD Connect with Pass-Through Authentication. This feature validates users’ passwords directly against on-premise AD.