Seamless Single SignOn should be disabled for all domains in EntraID Connect servers.
Why This Matters
Seamless Single Sign-On (SSO) can expose your organization to lateral movement and credential theft if an attacker compromises a domain-joined machine. When enabled for all domains in Entra ID Connect, it gives adversaries a persistent authentication foothold that bypasses traditional password checks. Disabling Seamless SSO for domains that do not require it reduces the attack surface and limits unauthorized access to cloud resources.
What Aether365 Checks
This check queries IdentityLogonEvents data using KQL to identify domains where Seamless SSO is actively in use. It enriches the results with device insights and flags the configuration as a medium-severity finding in the Aether365 dashboard under entra-id checks.
How to Fix
No specific remediation steps are provided by the source. However, to disable Seamless SSO for a given domain: