question

VamshiKrishnaSiram-2995 avatar image
0 Votes"
VamshiKrishnaSiram-2995 asked TKujala commented

Edge - force to prompt crendtials on intranet and trusted sites

So, we have thousands of workstations that use a generic user and are always logged in, more like kiosk workstations. These workstations are setup to always stay on, so users could go to any workstation, launch a browser and use it and walk away.
When we used IE 11 for Office.com, we were able to add the site office.com/login.microsoftonline.com to trusted sites zone and set the trusted sites to force the prompt for credentials instead of auto login. And worked great for us until we switched to Edge.

Chromium Edge is not honoring any of these settings and auto logs in to the website office.com using the generic user logged into the PC instead of asking the user to enter for credentials.
There is nothing i could find online as a solution for this.

Any thoughts?

Any help from a Microsoft Pro here?

ms-edge
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TKujala avatar image
1 Vote"
TKujala answered VamshiKrishnaSiram-2995 commented
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@TKujala

Just to be clear, I am not talking about signing into the browser , but I am talking about just signing into office.com website. I have already reviewed this article before posting this question and tried below, no luck.

Office.com Redirects to login.Microsoftonline.com and then auto logs in with the device account.

Using local gpo on a test computer I disabled this setting already (meaning I did not add any site to the allow list) https://docs.microsoft.com/fi-fi/deployedge/microsoft-edge-policies#authserverallowlist and it did not work.

The website login.microsoftonline.com is in the trusted site zone in internet settings when above gpo is added.

No dice with the above.

0 Votes 0 ·
TKujala avatar image
0 Votes"
TKujala answered VamshiKrishnaSiram-2995 edited

@VamshiKrishnaSiram-2995,

Are you using Azure Active Directory Seamless Single Sign-On or Pass-through authentication or Federation?

If you are using Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO), check the following links.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#why-do-you-need-to-modify-users-intranet-zone-settings

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#microsoft-edge-based-on-chromium-macos-and-other-non-windows-platforms


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@TKujala

Yes, we use AzureAD Seamless SSO along with Password Hash Synchronization.

Right we have login.microsoftonline.com added to the intranet zone in IE 11. And also force the user to enter credentials for sites in the intranet zone.

Are you saying that we just need to add autologon.microsoftazuread.com to the restricted site zone on kiosk type workstations and remove the login.microsoftonline.com, to force the user to enter credentials and not use sso?

Or

Do we need to add both login.microsoftonline.com and autologon.microsoftazuread.com to the restricted site zone to force the user to enter credentials?

0 Votes 0 ·
TKujala avatar image
0 Votes"
TKujala answered TKujala commented

@VamshiKrishnaSiram-2995,

Do we need to add both login.microsoftonline.com and autologon.microsoftazuread.com to the restricted site zone to force the user to enter credentials?

You can test that if you want to.

I think the best method is to use shortcuts on kiosk type workstations that start Edge in Private Mode.

Make Microsoft Edge Always Start in InPrivate Mode

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@TKujala

I have that as my last resort. If none work, then the only choice could be starting edge in private window always.

I will test the above later and see what happens, but I still think opening edge in private window is better. But worried about not having a home page in private window.

0 Votes 0 ·
TKujala avatar image TKujala VamshiKrishnaSiram-2995 ·

@VamshiKrishnaSiram-2995,

  • will test the above later and see what happens, but I still think opening edge in private window is better. But worried about not having a home page in private window.*

Yes, a home page doesn't work in private window. I think that is the best solution of these.

0 Votes 0 ·