Home

Seamless SSO - IE - Enhanced Protected mode

%3CLINGO-SUB%20id%3D%22lingo-sub-753595%22%20slang%3D%22en-US%22%3ESeamless%20SSO%20-%20IE%20-%20Enhanced%20Protected%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-753595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Ftshoot-connect-sso%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Ftshoot-connect-sso%3C%2FA%3E%3C%2FP%3E%3CP%3Etrying%20to%20keep%20IE%20locked%20down%20but%20still%20allow%20seamless%20sso%20for%20my%20on-premise%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20a%20few%20different%20GPOs%20for%20Enhanced%20Protection.%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20not%20compatible.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20currently%20testing%20if%20enhanced%20protection%20is%20disabled%20on%20the%20intranet%20zone%20only.%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20enabled%20in%20advanced%20settings%20and%20internet%20zone.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-753595%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%20seamless%20sso%20ie%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754248%22%20slang%3D%22en-US%22%3ERe%3A%20Seamless%20SSO%20-%20IE%20-%20Enhanced%20Protected%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754248%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what%20the%20question%20is%20here%3F%20If%20you%20mean%20you%20want%20more%20information%20about%20the%20specific%20restrictions%2Flimitations%20of%20using%20Enhanced%20Protection%20mode%2C%20best%20ask%20for%20clarification%20in%20the%20feedback%20form%20under%20the%20article%20you%20linked%20above.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-754540%22%20slang%3D%22en-US%22%3ERe%3A%20Seamless%20SSO%20-%20IE%20-%20Enhanced%20Protected%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754540%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bthe%20question%20is%20what%20are%20the%20supported%20settings.%20there%20are%20multiple%20places%20to%20enable%20protected%20mode.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-759577%22%20slang%3D%22en-US%22%3ERe%3A%20Seamless%20SSO%20-%20IE%20-%20Enhanced%20Protected%20mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-759577%22%20slang%3D%22en-US%22%3E%3CP%3Ecurrently%20the%20minimum%20working%20configuration%20for%20this%20is%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EIE%20Advanced%20Tab%3A%20%0AEnable%2064%20bit%20processes%20for%20Enhanced%20Protected%20Mode%3A%20Enabled%0AEnable%20Enhanced%20Protected%20Mode%3A%20Disabled%0A%0AInternet%20Zone%3A%20Enable%20Protected%20Mode%3A%20Enabled%0AIntranet%20Zone%3A%20Enable%20Protected%20Mode%3A%20Disabled%3C%2FPRE%3E%3CP%3Eopened%20a%20support%20case%20to%20see%20if%20there%20are%20other%20work%20arounds%20or%20options%20to%20provide%20users%20sso%20who%20are%20on%20the%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20they%20suggest%20hybrid%20join%20i%20will%20need%20to%20ask%20about%20support%20for%20VDI%20environments.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-plan%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-plan%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
gd-29
Occasional Contributor

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso

trying to keep IE locked down but still allow seamless sso for my on-premise users.

 

There are a few different GPOs for Enhanced Protection. 

What is not compatible. 

 

I'm currently testing if enhanced protection is disabled on the intranet zone only. 

but enabled in advanced settings and internet zone. 

 

3 Replies

Not sure what the question is here? If you mean you want more information about the specific restrictions/limitations of using Enhanced Protection mode, best ask for clarification in the feedback form under the article you linked above.

@Vasil Michev the question is what are the supported settings. there are multiple places to enable protected mode.

Highlighted

currently the minimum working configuration for this is: 

 

IE Advanced Tab: 
Enable 64 bit processes for Enhanced Protected Mode: Enabled
Enable Enhanced Protected Mode: Disabled

Internet Zone: Enable Protected Mode: Enabled
Intranet Zone: Enable Protected Mode: Disabled

opened a support case to see if there are other work arounds or options to provide users sso who are on the domain.

 

if they suggest hybrid join i will need to ask about support for VDI environments. 

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

 

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies