Forum Discussion

Johannes Goerlich's avatar
Johannes Goerlich
Brass Contributor
Aug 05, 2022

Enable implicit sign-in

I tried to get an automatically created work profile on my MS Edge using the 'Enable implicit sign-in' policy. I'm logged on to the PC with my work AAD account. I deleted all my profiles closed the ...
Johannes Goerlich's avatar
Johannes Goerlich
Brass Contributor
Aug 08, 2022

Kelly_Y 

Hi @Kelly_Y
the description reads:
"If you enable or don't configure this setting, implicit sign-in will be enabled, Edge will attempt to sign the user into their profile based on what and how they sign in to their OS."

 

Independent from wether I enabled or disable the policy, it always (just) recommends to use my OS account for login:

(browser was restarted of course)

 

Indeed, there is no enforcement or automated account creation.

 

Enabling ImplicitSignInEnabled is a precondition for ConfigureOnPremisesAccountAutoSignIn and NonRemovableProfileEnabled, therefore I'm wondering what exactly is affected by this policy.

 

At https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-identity#automatic-sign-in it says generally "The device is hybrid/AAD-J: ... The user gets automatically signed in with their Azure AD account."

 

BR,

Joe

Kelly_Y's avatar
Kelly_Y
Icon for Microsoft rankMicrosoft
Aug 08, 2022

Johannes Goerlich Just checking, have you configured the BrowserSignin policy to 'Disable browser sign-in'?  This would cause the policy to have no effect.  

 

Also you mentioned, ConfigureOnPremisesAccountAutoSignIn and NonRemovableProfileEnabled, they won't take effect if ImplicitSignInEnabled is disabled.  

 

I'm not quite sure what your specific goals are but it appears that there are a lot of Identity questions right now :smile:.  I would recommend either reaching out FastTrack or Support, they would be able to work with you one on one and make sure MS Edge is set up and configured for your specific needs.  Thanks! 

 

-Kelly

  • mikey365's avatar
    mikey365
    Brass Contributor
    Oct 19, 2022

    You are on the Edge team and you are not sure her specific goal??? It's quite obvious what her goal is and she said it many times: Have Edge automatically sign in the user's profile into the browser. Your description of the setting is the opposite of what Intune/Endpoint Manager says:

    "If you enable or don't configure this setting, implicit sign-in will be enabled, Edge will attempt to sign the user into their profile based on what and how they sign in to their OS. If you disable this setting, implicit sign-in will be disabled."

    I can also confirm the setting doesn't work as described.

  • Johannes Goerlich's avatar
    Johannes Goerlich
    Brass Contributor
    Aug 08, 2022

    Kelly_Y 

     

    BrowserSignIn is configured to 'Enable browser sign-in'.

     

    I try to understand what a policy is made for by reading its description :smile: and then verify this by testing.
    Setting up the browser to enterprise needs is not as easy as one could think, because browser sign-in combines various feature like sync and different SSO capabilities which differ based on Windows Account type and can be controlled by settings, domain patterns and built-in automatisms, which sometimes interfere each other.

     

    At the moment I couldn't get my user automatically signed in to a work profile. Even with BrowserSignIn set to "Force users to sign-in to use the browser". Even if I have only one profile and am logged on to Windows with a work account, I always have to manually select an account:

     

    Whether ImplicitSignInEnabled is set to Enabled or Disabled - same behavior. 


    If i remember correctly, when I was testing this stuff with v85, Edge behaved differently and i was automatically signed-in.

     

    Best,
    Joe

     

    P.S.: I'm currently updating our internal policy as well as contributing to the next version of the CIS benchmark for Microsoft Edge.

Resources