question

JamesEdmonds-7766 avatar image
0 Votes"
JamesEdmonds-7766 asked JamesEdmonds-7766 commented

Edge browser sign in for Hybrid AD joined devices/users

Hi,

We have all of our devices as Hybrid AD Joined devices, and our users are synced from on prem to Azure AD.
We are trying to configure Microsoft Edge to sign in automatically with the users' Windows/Azure AD credentials, but cannot get it working.

Could someone advise how to force browser sign in and have it be done automatically for Hybrid users?

Many thanks
James

ms-edgeazure-ad-hybrid-identity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MrSbaa avatar image
1 Vote"
MrSbaa answered JamesEdmonds-7766 commented

This has nothing to do with Seamless Sign-On or ADFS. If you are using Edge Chromium in a hybrid joined scenario, you will get SSO automatically.

Microsoft says:
If the device is hybrid/AAD-J: Available on Win10, down-level Windows, and corresponding server versions. The user gets automatically signed in with their Azure AD account.

Source: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-identity

Check if your hybrid join setup works by using dsregcmd.

https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Well the problem is that the auto sign in isn't happening, and users are instead getting a prompting asking whether they want to sign in or not.

On the device I am testing on, dsregcmd /status doesn't show any problems that I can see and the state equates to Hybrid AD Joined based on the table in the documentation you shared.
Is there a specific element of the dsregcmd /status that would be specifically relevant to auto sign in for Edge?

0 Votes 0 ·

I think the issue may be that the first time you ever launch Edge on a new machine, it signs you in, but if you sign out and then reset Edge to defaults, it does not make additional attempts to auto sign you back in.
Is this expected behaviour?

Thanks
James

0 Votes 0 ·
MrSbaa avatar image MrSbaa JamesEdmonds-7766 ·

Yes this is normal. You can use the following GPO to force sign-in:

https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::BrowserSignin

0 Votes 0 ·
Show more comments
MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered JamesEdmonds-7766 edited

Hi James,

Seamless SSO should work with Microsoft Edge, but there are some limitations. For example, it doesn't work with Windows 8,
Windows Server 2012 R2, or Mac OS X. Microsoft Edge legacy also is no longer supported.

The full list of limitations is noted here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

If none of those limitations apply to you, I would recommend going through the Quick Start steps if you haven't already. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Checking the documentation, I think all pre-reqs are ok, but the part about enabling SSO in AADC seems to be the issue:
137357-image.png

If I change to PHS, will the ADFS config continue to function as it does currently, or would it need to be reconfigured?
I assume once we change to PHS, we can then enable the SSO option on that page?

Thanks
James

EDIT: I see the PHS and PTA options say that the domain will be converted from federated to managed, so I would then need to manually federate the domains against our ADFS config again?

0 Votes 0 ·
image.png (37.6 KiB)