Forum Discussion
Cannot login to Edge in AD hybrid setup with Azure AD and roaming profiles
Situation: Server 2019 with local domains and azure AD connect to MS365 tenant DC contains custom suffix that matches primary domain 50+ users that work on multiple computers in the company have ...
Hi,
We have been struggling with the above issue since we have been using Edge Chromium (version 80).
We had a case open with Microsoft in February last year, just before lockdown.
It was getting clearer that what we wanted: AAD logon and Azure logon at the same time was going to be a challenge.
To make things more complicated: we are using VMware DEM for roaming data on managed on-prem systems and virtual machines.
This gives a bit more flexibility but a lot more reverse engineering and, if you are not careful, finger-pointing between MS and VM.
We ran in the above issue, no logon prompt coming up in Edge, with the introduction of Windows 10 20H2. Before that we had 1909, which did not have the issue.
Running Edge in Compat mode of with the --oneauth parameter is a workaround.
The problem can be seen on edge://signin-internals/ where you get a token error when things are not right with a gives token errors with a given Account ID.
This is where the complexity starts. On on-prem managed systems the Account ID is the same as the AAD OID Guid.
On intune laptops the Account ID is different then the OID.
With the --onauth parameter the authentication info is stored in LocalAppData\Onauth, in files with the same name as the OID. Without the parameter these files are not used but we have not found (yet) where they are kept.
We did found out that deleting the whole Windows profile (lots of DEM zip files) resets it all and then you are prompted by Edge for a logon, and it keeps the settings.
That is our status so far.
Regards, Henno
We have been struggling with the above issue since we have been using Edge Chromium (version 80).
We had a case open with Microsoft in February last year, just before lockdown.
It was getting clearer that what we wanted: AAD logon and Azure logon at the same time was going to be a challenge.
To make things more complicated: we are using VMware DEM for roaming data on managed on-prem systems and virtual machines.
This gives a bit more flexibility but a lot more reverse engineering and, if you are not careful, finger-pointing between MS and VM.
We ran in the above issue, no logon prompt coming up in Edge, with the introduction of Windows 10 20H2. Before that we had 1909, which did not have the issue.
Running Edge in Compat mode of with the --oneauth parameter is a workaround.
The problem can be seen on edge://signin-internals/ where you get a token error when things are not right with a gives token errors with a given Account ID.
This is where the complexity starts. On on-prem managed systems the Account ID is the same as the AAD OID Guid.
On intune laptops the Account ID is different then the OID.
With the --onauth parameter the authentication info is stored in LocalAppData\Onauth, in files with the same name as the OID. Without the parameter these files are not used but we have not found (yet) where they are kept.
We did found out that deleting the whole Windows profile (lots of DEM zip files) resets it all and then you are prompted by Edge for a logon, and it keeps the settings.
That is our status so far.
Regards, Henno