Hi @ToryDav ,   I experienced the same issue and i was able to find a solution. The reason why this is happening is because all internet traffic is blocked until there is a successful VPN connection.   In order to push from your MX a custom DNS suffix to your client devices, please review this.    Regarding the SSO issue, there is a feature  under preferences part 2 of your screenshot "Allow access to the following hosts.." that allows you to include URLs, which will be accessible before there is an established VPN connection. I run packet captures and filtered the traffic to capture the the URLs used for Azure AD SSO, and i added them to the profile. login.microsoftonline.com works for authentication, login.live.com works for password resets.   Please see sample XML below. There is no enforcement of "Always On" policy with this; whenever users connect to an unknown network, the get prompted through the anyconnect SSO popup authenticate and start a VPN connection; they can browse the internet with or without an established VPN connection. Always On can always be enabled, it will work as well, however, the only accessible hosts before a VPN connection gets established, will be the ones under Allowed Hosts.   <AutomaticVPNPolicy>true <TrustedDNSDomains> Connection Specific DNS Suffix</TrustedDNSDomains> <TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy> <UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy> <AlwaysOn>false <ConnectFailurePolicy>Open <AllowCaptivePortalRemediation>true <CaptivePortalRemediationTimeout>5</CaptivePortalRemediationTimeout> </AllowCaptivePortalRemediation> <ApplyLastVPNLocalResourceRules>false</ApplyLastVPNLocalResourceRules> </ConnectFailurePolicy> <AllowVPNDisconnect>true</AllowVPNDisconnect> <AllowedHosts>login.microsoftonline.com,login.live.com</AllowedHosts> </AlwaysOn> </AutomaticVPNPolicy> ... View more