Forum Discussion
Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enabled
Hello Team,
I'm experiencing a pretty weird issue with Edge on an iPhone 12 (16.5) enrolled in Intune with user affinity. I have an Azure AD user logged into the browser with sync enabled. The user is logged in to all Microsoft apps using the Microsoft Enterprise SSO plug-in for Apple devices.. Here's a .gif of the issue:
Whenever I attempt to login to any website that uses Azure AD as its idP, the browser gets stuck at the login.microsoftonline.com endpoint and eventually enters what appears to be a loop with the Microsoft Authenticator app. This behavior is exclusive to Edge. All other Microsoft apps authenticate the user successfully using the SSO plug-in.
Here are the Intune management settings enabled on the device:
- Device configuration policy settings
- Single sign-on app extension is enabled
- SSO app extension type: Azure AD
- Additional configuration for single sign-on app extension
- Single sign-on app extension is enabled
- App configuration policy settings for Edge
- App protection policy for all Microsoft apps
In addition to those settings, I do also have Safari hidden via a device restrictions policy. The goal is for all users to use Edge only.
Any idea what might be driving this issue?
Merlin Seems to be a bug. Thought they would fix it with them going GA with the extension.
Add this under "additional configuration" solves it for the time being:nafanja alexanderchute WGravatt,
I was able to fix this issue. Here's what I did:
- In the automatic device enrollment (ADE) profile, I setup Just in Time Registration. This replaces the Intune Company Portal app as the authentication method for ADE in Intune.
- In the Device features configuration profile, I removed all additional configurations from the Single sign-on app extension configuration.
- I then added the following additional configurations.
Key Type Value AppPrefixAllowList String com.apple.,com.cisco. browser_sso_interaction_enabled Integer 1 disable_explicit_app_prompt Integer 1 device_registration String {{DEVICEREGISTRATION}}
Altogether, this enables Just in Time registration for ADE and allows the SSO extension to work seamlessly. The user must login to the device using modern authentication during the OOBE and then must login to a managed Microsoft application to enable SSO. Microsoft recommends having the user login to Microsoft Teams first "because it's integrated with the latest identity libraries and will provide the most streamlined experience from the user's home screen".
I think this is actually a better user experience for OOBE device enrollment and for SSO. So, it solves two problems at once for us. When using the Company Portal app as the authentication method, we were having issues with the device freezing after OOBE and requiring a forced restart to complete enrollment. Just in Time Registration solved that problem.
