cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Home

Seamless SSO - IE - Enhanced Protected mode

%3CLINGO-SUB%20id%3D%22lingo-sub-753595%22%20slang%3D%22en-US%22%3ESeamless%20SSO%20-%20IE%20-%20Enhanced%20Protected%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-753595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Ftshoot-connect-sso%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Ftshoot-connect-sso%3C%2FA%3E%3C%2FP%3E%3CP%3Etrying%20to%20keep%20IE%20locked%20down%20but%20still%20allow%20seamless%20sso%20for%20my%20on-premise%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20a%20few%20different%20GPOs%20for%20Enhanced%20Protection.%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20not%20compatible.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20currently%20testing%20if%20enhanced%20protection%20is%20disabled%20on%20the%20intranet%20zone%20only.%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20enabled%20in%20advanced%20settings%20and%20internet%20zone.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-753595%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%20seamless%20sso%20ie%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754248%22%20slang%3D%22en-US%22%3ERe%3A%20Seamless%20SSO%20-%20IE%20-%20Enhanced%20Protected%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754248%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what%20the%20question%20is%20here%3F%20If%20you%20mean%20you%20want%20more%20information%20about%20the%20specific%20restrictions%2Flimitations%20of%20using%20Enhanced%20Protection%20mode%2C%20best%20ask%20for%20clarification%20in%20the%20feedback%20form%20under%20the%20article%20you%20linked%20above.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754540%22%20slang%3D%22en-US%22%3ERe%3A%20Seamless%20SSO%20-%20IE%20-%20Enhanced%20Protected%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754540%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bthe%20question%20is%20what%20are%20the%20supported%20settings.%20there%20are%20multiple%20places%20to%20enable%20protected%20mode.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-759577%22%20slang%3D%22en-US%22%3ERe%3A%20Seamless%20SSO%20-%20IE%20-%20Enhanced%20Protected%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-759577%22%20slang%3D%22en-US%22%3E%3CP%3Ecurrently%20the%20minimum%20working%20configuration%20for%20this%20is%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EIE%20Advanced%20Tab%3A%20%0AEnable%2064%20bit%20processes%20for%20Enhanced%20Protected%20Mode%3A%20Enabled%0AEnable%20Enhanced%20Protected%20Mode%3A%20Disabled%0A%0AInternet%20Zone%3A%20Enable%20Protected%20Mode%3A%20Enabled%0AIntranet%20Zone%3A%20Enable%20Protected%20Mode%3A%20Disabled%3C%2FPRE%3E%3CP%3Eopened%20a%20support%20case%20to%20see%20if%20there%20are%20other%20work%20arounds%20or%20options%20to%20provide%20users%20sso%20who%20are%20on%20the%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20they%20suggest%20hybrid%20join%20i%20will%20need%20to%20ask%20about%20support%20for%20VDI%20environments.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-plan%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-plan%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
gd-29
gd-29
Occasional Contributor

‎07-13-2019 11:52 AM - edited ‎07-13-2019 11:53 AM

‎07-13-2019 11:52 AM - edited ‎07-13-2019 11:53 AM

Seamless SSO - IE - Enhanced Protected mode

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso

trying to keep IE locked down but still allow seamless sso for my on-premise users.

 

There are a few different GPOs for Enhanced Protection. 

What is not compatible. 

 

I'm currently testing if enhanced protection is disabled on the intranet zone only. 

but enabled in advanced settings and internet zone. 

 

219 Views
0 Likes
3 Replies
Reply
3 Replies
Highlighted
Vasil Michev

‎07-14-2019 10:37 PM

‎07-14-2019 10:37 PM

Re: Seamless SSO - IE - Enhanced Protected mode

Not sure what the question is here? If you mean you want more information about the specific restrictions/limitations of using Enhanced Protection mode, best ask for clarification in the feedback form under the article you linked above.

0 Likes
Reply
gd-29

‎07-15-2019 03:38 AM

‎07-15-2019 03:38 AM

Re: Seamless SSO - IE - Enhanced Protected mode

@Vasil Michev the question is what are the supported settings. there are multiple places to enable protected mode.

0 Likes
Reply
gd-29

‎07-17-2019 01:10 PM

‎07-17-2019 01:10 PM

Re: Seamless SSO - IE - Enhanced Protected mode

currently the minimum working configuration for this is: 

 

IE Advanced Tab: 
Enable 64 bit processes for Enhanced Protected Mode: Enabled
Enable Enhanced Protected Mode: Disabled

Internet Zone: Enable Protected Mode: Enabled
Intranet Zone: Enable Protected Mode: Disabled

opened a support case to see if there are other work arounds or options to provide users sso who are on the domain.

 

if they suggest hybrid join i will need to ask about support for VDI environments. 

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

 

 

0 Likes
Reply
Related Conversations
Tabs and Dark Mode
 cjc2112 in Discussions on 09-18-2019
46 Replies
What is Canary ring in Windows insider program? and how do we get them?
 HotCakeX in Windows Insider Program on 09-27-2019
9 Replies
flashing a white screen while open new tab
 Deleted in Discussions on 10-05-2019
14 Replies
The announcement regarding self-service purchase capabilities for Power Platform products??
 Kelly E in Office 365 on 10-21-2019
64 Replies
How to Prevent Teams from Auto-Launch
 chenrylee in Microsoft Teams on 06-27-2019
29 Replies
Stable version of Edge insider browser
 HotCakeX in Discussions on 10-12-2019
35 Replies