Forum Discussion
New tab logo - GPO
LBXComputers thanks for checking in! If you're using the Enterprise new tab experience then you can configure your company logo to appear on that page via the online admin center. You can read more about how to do that here: https://docs.microsoft.com/en-us/office365/admin/setup/customize-your-organization-theme?view=o365-worldwide
Please let me know if this is a good solution for you, or additional feedback if not. Thanks!
MicrosoftOliverTeglhus Enterprise new tab experience is only enabled when you sign in with Azure Active Directory (AAD). Is your work account an AAD account, or an AD account? Thanks!
We are using hybrid ad/aad as we have on premises AD but Office 365 with SSO.
- I put it at computer level. I’ll try at user level tomorrow
LBXComputers What I found is that applying the GPO cleared the existing DOMAIN\User profile and allowed me to sign in to an AAD instead. But the GPO had to be applied to the PC first for this to happen.
Be sure to do it in both the Computer and User admin templates on the GPO, it may not work correctly if its not on both.
- The GPO method fixes it for a new logon to that PC. So the primary profile is the correct user@domain.com logon. But not fixed it yet on my primary PC with an established local profile. We use SSO for O365 so Edge should sign in the same automatically right?
Avi Vaid I can tell you that it is choosing the DOMAIN\User for the default profile, even though I (and several other users) had AAD accounts added to our PC's. We are signing in to the PC as DOMAIN\User, and that one gets auto-selected regardless of the presence of the AAD accounts. With the GPO it will instead allow me to pick the AAD account for the default profile.
TI_Master Hmm, that's not exactly the same thing as far as I understand. Since your PC is just domain joined, there may not be an AAD present on the device. If that's the case, Edge will use the on-prem domain account to automatically sign in and this is expected. If there is an AAD account present (from AAD-J, Hybrid join, or AAD sign in to another Microsoft app without selecting "This app only"), Edge should be using the AAD to automatically sign in.
Thanks for sharing how you use GPO to get around the on-prem sign in. Let me know how we may be able to make this configuration easier for admins like you that have a domain joined environment but don't want the on-prem sign in since you have O365.
Avi Vaid I am experiencing the same thing. My PC is locally domain joined, and I'm signed in to it with a domain account. But we are also on Office 365, so AAD is available. My suspicion is that if my PC were initially AAD joined instead instead of local domain joined, the problem might not occur, but I'm not certain of that.
My post (a few posts up from this one) details how I used GPO's to get around this issue. But it was impacting all of our end users.
LBXComputers You mentioned that your environment is hybrid AD joined and you are yet getting domain/username automatically signed in rather than your AAD account? That's pretty strange and we'd love to work with you to understand why this is happening. The intended behavior is that you should get signed in with your AAD. I'll message your privately to look into this. If anyone else is in this situation, please let me know.
LBXComputers I built a GPO to only allow signins to Edge from certain domains. The end result is that the DOMAIN\User is blocked from being the default profile, and the user can select their Office 365 account as their signed in profile (and therefore sync). With a little work on the GPO, I can probably allow just about everything except domain\user format, so that users can use their personal Microsoft account for a personal profile, in addition to the work one. We have multiple domain names on our email, so I had to use a regex expression as it is to make this work.
But right now, I block auto profile sign-in completely during install, and only allow my end users to sign in with an Office 365 AAD account as their default profile.
The specific GPO I use to accomplish this is "Restrict which accounts can be used as Microsoft Edge primary accounts", mine is set to ".*@(domain1.com|domain2.com|domain3.com)" without the quotes. Some fancy "regex-ing" could probably make this more universal and still block the use of domain\username format, and prevent the AD account from grabbing the default profile.
I also disabled "Configure whether a user always has a default profile automatically signed in with their work or school account" to allow deletion or signing out of the default profile.
ChadRoth it would be nice if Edge were smart enough to not try and use the DOMAIN\User ID as the default profile, since that account can't sync. Since its the default profile, it makes life pretty annoying having to switch profiles all the time. My workaround works great, but most users won't know how to do this.
