Configure and troubleshoot Microsoft Edge sync

This article explains how to configure and use Microsoft Edge to sync your favorites, passwords, and other browser data across all your signed-in devices. This article also provides troubleshooting steps for the most commonly encountered sync issues. It also includes the recommended tools for gathering the logs needed for troubleshooting.

Note

Applies to Microsoft Edge version 77 or later unless otherwise noted.

Overview

Microsoft Edge sync enables users to access their browsing data across all their signed-in devices. The data supported by sync includes:

  • Favorites
  • Passwords
  • Addresses and more (form-fill)
  • Collections
  • Settings
  • Extension
  • Open tabs (available in Microsoft Edge version 88)
  • History (available in Microsoft Edge version 88)

Sync functionality is enabled via user consent and users can turn sync on or off for each of the data types listed above.

Note

Additional device connectivity and configuration data (such as device name, make and model) is uploaded to support sync functionality.

Prerequisites

Microsoft Edge sync for Azure Active Directory (Azure AD) accounts is available for any of the following subscriptions:

  • Azure AD Premium (P1 or P2)
  • M365 Business Premium
  • Office 365 E1 and above
  • Azure Information Protection (AIP) (P1 or P2)
  • All EDU subscriptions (Microsoft Apps for Students or Faculty, Exchange Online for Students or Faculty, O365 A1 or above, M365 A1 or above, or Azure Information Protection P1 or P2 for Students or Faculty)

Sync group policies

You can use the following group policies to configure and manage Microsoft Edge sync:

Configure Microsoft Edge sync

Configuration options for Microsoft Edge sync are available through the Azure Information Protection (AIP) service. When AIP is enabled for a tenant, all users can sync Microsoft Edge data, regardless of licensing. Instructions on how to enable AIP can be found here.

To restrict sync to certain set of users, you can enable the AIP onboarding control policy for those users. If sync is still not available after ensuring that all necessary users are onboarded, ensure that the IPCv3Service is enabled using the Get-AIPServiceIPCv3 PowerShell cmdlet.

Caution

Activating Azure Information Protection will also allow other applications, such as Microsoft Word or Microsoft Outlook, to protect content with AIP. In addition, any onboarding control policy used to restrict Edge sync will also restrict other applications from protecting content using AIP.

Microsoft Edge and Enterprise State Roaming (ESR)

Microsoft Edge is a cross-platform application with an expanded scope for syncing user data across all their devices and is no longaer a part of Azure AD Enterprise State Roaming. However, the Microsoft Edge will fulfill the data protection promises of ESR, such as the ability to bring your own key. For more information, see Microsoft Edge and Enterprise State Roaming.

Troubleshoot sync issues

This section provides troubleshooting steps for the most encountered sync issues. It also includes the recommended tools for gathering the logs needed for troubleshooting.

Identity issues versus sync issues

A popular use case for maintaining user identity in the browser is to support sync. For this reason, identity issues are frequently confused with sync issues. Understand the difference between identity and sync issue before you start troubleshooting sync.

Before you treat an issue as a sync issue, check to see if the user is signed into the browser with a valid account.

The next screenshot shows an example of an identity error. The error is "Last Token Error, EDGE_AUTH_ERROR: 3, 54, 3ea", which is found in edge://sync-internals under Credentials:

Last Token Error EDGE_AUTH_ERROR: 3,54, 3ea

Common sync issues

Issue: Can't access M365 or Azure Information Protection subscription

Do you have a previous M365 or Azure Information Protection (AIP) subscription that expired and then replaced with a new subscription? If so, then the tenant ID has changed and the service data needs to be reset. See the instructions for resetting data in the Cryptographer error encountered issue.

Issue: “Sync is not available for this account.”

If this error is encountered for an Azure Active Directory account, or if DISABLED_BY_ADMIN appears in edge://sync-internals, follow the steps in the next procedure sequentially until the problem is fixed.

Note

Because the source of this error is usually requires a configuration change in an Azure Active Directory tenant, these troubleshooting steps can only performed by a tenant admin and not by end users.

  1. Verify that the enterprise tenant has a supported M365 subscription. The current list of available subscription types is provided here. If the tenant doesn't have a supported subscription, they can either purchase Azure Information Protection separately, or upgrade to one of the supported subscriptions.

  2. If a supported subscription is available, verify that the tenant has Azure Information Protection (AIP) available. The instructions for checking the AIP status and, if necessary, activating AIP are here.

  3. If step 2 shows that AIP is active but sync still doesn't work, turn on Enterprise State Roaming (ESR). The instructions for enabling ESR are here. Note that ESR does not need to stay on. You can turn off ESR if this step fixes the issue.

  4. Confirm that Azure Information Protection is not scoped via an onboarding policy. You can use the Get-AadrmOnboardingControlPolicy PowerShell applet to see if scoping is enabled. The next two examples show an unscoped configuration and a configuration scoped to a specific security group.

     PS C:\Work\scripts\PowerShell> Get-AadrmOnboardingControlPolicy
    
     UseRmsUserLicense SecurityGroupObjectId                Scope
     ----------------- ---------------------                -----
                 False 
    
    
     PS C:\Work\scripts\PowerShell> Get-AadrmOnboardingControlPolicy
    
     UseRmsUserLicense SecurityGroupObjectId                Scope
     ----------------- ---------------------                -----
                 False f1488a05-8196-40a6-9483-524948b90282   All
    

    If scoping is enabled, the affected user should either be added to the security group for the scope, or the scope should be removed. In the example below, onboarding has scoped AIP to the indicated security group and the scoping should be removed with the Set-AadrmOnboardingControlPolicy PowerShell applet.

  5. Confirm that the IPCv3Service is turned on in the tenant. The Get-AadrmConfiguration PowerShell applet shows the status of the service.

    Check to see if IPCv3Service is enabled.

  6. If the issue isn't fixed, contact Microsoft Edge support.

Issue: Stuck at "Setting up sync..." or “Couldn’t connect to the sync server. Retrying…”

  1. Try to sign out and then sign in.

  2. Go to edge://sync-internals. If under the "Type info" section the following error is present, then skip to the following issue, Cryptographer error encountered.

    "Error:GenerateCryptoErrorsForTypes@../../components/sync/driver/data_type_manager_impl.cc:42, cryptographer error was encountered"

  3. Try pinging the server endpoint. The server endpoint for a client is available in edge://sync-internals. The next screenshot shows endpoint information under Environment Info.

    Endpoint information

  4. If the server endpoint is empty, or if server cannot be pinged and a firewall is present in the environment, confirm that the necessary service endpoints are available to the client computer.

  5. If the issue still isn't fixed, contact Microsoft Edge support.

Issue: Cryptographer error encountered

This error is visible under Type info in edge://sync-internals and may mean that the user's service side data needs to be reset. The following example shows a cryptography error message:
"Error:GenerateCryptoErrorsForTypes@../../components/sync/driver/data_type_manager_impl.cc:42, cryptographer error was encountered".

  1. Restart Microsoft Edge and navigate to edge://sync-internals and check the “AAD Account Key Status” section
    • "Success" in "Last MIP Result": the cryptographer error means server data might be encrypted with a lost key. Data reset is needed to resume sync.
    • "No permissions" in "Last MIP Result": It is possibly caused by an Azure AD change or tenant subscription changes. Data reset is needed to resume sync.
    • Other errors may mean server configuration issues.
  2. If data reset is needed, see Reset Microsoft Edge data in the cloud.

Issue: “Sync has been turned off by your administrator.”

Make sure that the SyncDisabled policy is not set.

Frequently Asked Questions

SECURITY and SERVER/DATA COMPLIANCE

Is the synced data encrypted?

The data is encrypted in transport using TLS 1.2 or greater. All data types are additionally encrypted at rest in Microsoft's service using AES128. All data types except those used for open tab and history sync are additionally encrypted before leaving the user’s device with keys managed via the Azure Information Protection policy.

Why don’t open tab and history data have more client-side encryption?

To reduce resource utilization on end-user devices, history data is generated server-side based on open tab roaming data. This process would not be possible with client-side encryption of this data. To disable open tab and history sync, apply the SavingBrowserHistoryDisabled or SyncTypesListDisabled policies.

Can tenant admins bring their own key?

Yes, through Azure Information Protection.

Where is Microsoft Edge sync data stored?

Synced data for Azure AD accounts is stored in secure servers according to the tenant ID. For example, the data for a tenant that is registered in the United States is stored in servers geo-located for that region and uses the same storage solution as Office applications.

Does the data ever leave Microsoft's cloud, aside from syncing to Microsoft Edge?

No.

What terms of service does enterprise sync fall under?

Terms of service for Microsoft Edge sync falls under the Microsoft software license viewable in Microsoft Edge at edge://terms. Your Azure AD subscription and terms of service ultimately fall under Microsoft's Online Service Terms.

Does Microsoft Edge support Government Community Cloud (GCC) High compliance?

Not today. For customers in the GCC High cloud, Microsoft Edge sync is disabled.

APPLYING SYNC

Why isn’t Microsoft Edge sync supported in all M365 subscriptions?

Enterprise sync depends on Azure Information Protection, which is not available in all M365 subscriptions.

Is Microsoft Edge sync based on Enterprise State Roaming?

No. ESR can be used to enable sync, but Microsoft Edge sync is not a part of ESR. For more information, see Microsoft Edge Sync and Microsoft Edge and Enterprise State Roaming.

Will Microsoft Edge ever support syncing between Microsoft Edge and IE?

There are no plans to support this syncing. If you still need IE in your environment to support legacy apps, consider our new IE mode.

Will Microsoft Edge sync with Microsoft Edge Legacy?

No, it won't. We believe connecting these two ecosystems will lead to compromises in the reliability of sync in the Microsoft Edge. We will ensure that existing data is migrated to the Microsoft Edge. Users will also be able to import data from browser of their choice, which also means that Microsoft Edge won't have a way to sync with IE.

MANAGING SYNC

Is it possible to stop my users from syncing with a personal tenant?

Not directly, but you can determine which profiles can sign on to Microsoft Edge using the RestrictSigninToPattern policy.

See also