AAD account logon data: where does Edge store this?

%3CLINGO-SUB%20id%3D%22lingo-sub-1217854%22%20slang%3D%22en-US%22%3EAAD%20account%20logon%20data%3A%20where%20does%20Edge%20store%20this%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1217854%22%20slang%3D%22en-US%22%3E%3CP%3ESome%20explanation%20is%20valid%20here%3A%3C%2FP%3E%3CP%3EWe%20are%20currently%20preparing%20to%20roll%20out%20Edge%20Chromium%20in%20the%20coming%20weeks.%20In%20january%20we%20ran%20into%20a%20problem%20that%20Edge%20would%20try%20to%20log%20on%20a%20profiel%20using%20domain%5Cuser%2C%20whereas%20we%20have%20a%20upn%20of%20%3CA%20href%3D%22mailto%3Auers%40han.nl%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Euers%40han.nl%3C%2FA%3E.%20A%20couple%20of%20gpo%20setting%20fixed%20that%20but%20it%20went%20on.%3C%2FP%3E%3CP%3EOn%20our%20managed%20desktops%20we%20roam%20our%20user%20data%20using%20VMware%20UEM%2C%20we%20also%20created%20a%20setting%20for%20Edge%2C%20which%20transfers%20it%20to%20a%20zip%20fiel%20while%20logging%20of.%20Local%20profiles%20are%20deleted%20afterwards.%3C%2FP%3E%3CP%3EInfo%20how%20we%20dit%20this%20is%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.avanite.com%2Fblog%2Froaming-edge-chromium%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.avanite.com%2Fblog%2Froaming-edge-chromium%3C%2FA%3E%3C%2FP%3E%3CP%3EWhat%20we%20found%3A%20the%20UEM%20config%20is%20not%20complete.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%202%20variants%20of%20users%20that%20are%20stuck%3A%3C%2FP%3E%3CP%3E*%20Users%20that%20cancelled%20the%20first%20run%20wizard%20and%20get%20a%20Profile%201%20profile.%20If%20they%20want%20to%20login%20with%20their%20Work%20account%20they%20get%20the%20message%3A%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20can't%20sign%20you%20in%20right%20now%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EThe%20Microsoft%20Edge%20Team%20has%20been%20notified%20of%20this%20issue.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EPlease%20try%20again%20later.%20Error%20code%3A%20-2146893811%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20is%20with%20Edge%2079%20and%2080.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E*%20Users%20that%20went%20through%20the%20firest%20run%20wizard%20and%20succesfully%20signed%20in%20could%20this%20only%20once.%20After%20logging%26nbsp%3Bof%20the%20local%20profile%20is%20gone%20and%20after%20logging%26nbsp%3Bin%20the%20user%20sees%20her%2Fhis%20picture%20in%20the%20menu-bar%20but%20it%20does%20not%20synch%2C%20and%20cannot%20be%20switched%20on.%20Sync%20is%20greyed%20out.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20they%20remove%20the%20profile%20they%20end%20up%20like%20the%20other%20group%20above.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3BI%20investigated%20the%20issue%20in%20trying%20to%20get%20Windows%20to%20sync%20it%20using%20Enterprise%20State%20Roaming%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fazure%2Factive-directory%2Fdevices%2Fenterprise-state-roaming-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fazure%2Factive-directory%2Fdevices%2Fenterprise-state-roaming-overview%3C%2FA%3E)%20but%20that%20seems%20to%20be%20deliberately%20broken%20by%20Microsoft%20on%20domain%20joined%20systems%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fwindows%2Fen-US%2Fe5926328-5f9e-4317-9fb5-8d7f55dec68d%2Fquotsync-your-settingsquot-options-are-unavailable-linked-account-issue%3Fforum%3Dwin10itprogeneral%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fwindows%2Fen-US%2Fe5926328-5f9e-4317-9fb5-8d7f55dec68d%2Fquotsync-your-settingsquot-options-are-unavailable-linked-account-issue%3Fforum%3Dwin10itprogeneral%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%20syncing%20the%20security%20settings%20of%20Edge%20with%20MS%20solutions%26nbsp%3B%20seems%20a%20dead%20end%2C%20as%20with%20UEM.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EDoes%20anyone%20have%20a%20working%20solution%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EDoes%20anyone%20know%20where%20the%20AAD%20logon%20%2F%20Edge%20data%20is%20stored%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance....%20HELP!!!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EHenno%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1222358%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20account%20logon%20data%3A%20where%20does%20Edge%20store%20this%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1222358%22%20slang%3D%22en-US%22%3E%3CP%3EOk.%20Update%3A%3C%2FP%3E%3CP%3EWe%20worked%20out%20that%20the%20data%20for%20logon%20on%20the%20Microsoft%20account%20is%20destroyed%20when%20UEM%20puts%20back%20the%20profile%20data.%3C%2FP%3E%3CP%3EIf%20we%20do%20not%20do%20this%20and%20remove%20the%20Windows%20profile%20(as%20is%20done%20on%20our%20VMware%20Horizon%20machines%20and%20most%20Citrix%20solutions)%20and%20log%20on%20again%20then%20Edge%20presents%20users%20with%20the%20first%20run%20wizard%2C%20which%20works.%3C%2FP%3E%3CP%3EBut%20that%20means%20that%20Users%20have%20to%20go%20though%20this%20very%20time%2C%20that%20is%20stupid.%3C%2FP%3E%3CP%3EHas%20someone%20worked%20out%20how%20to%20implement%20Edge%20in%20an%20environment%20where%20Windows%20profiles%20are%20not%20preserved%20and%20a%20working%20Azure%20%2F%20Microsoft%20logon%2C%20which%20is%20preserved%3F%3F%3C%2FP%3E%3CP%3EThis%20is%20not%20rocket%20science%2C%20normal%20stuff%20in%20an%20Enterprise%20environment.%3C%2FP%3E%3CP%3ECome%20one%20Microsoft%20Edge%20Team%2C%20we%20need%20solutions..!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%20Henno%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1224856%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20account%20logon%20data%3A%20where%20does%20Edge%20store%20this%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1224856%22%20slang%3D%22en-US%22%3E%3CP%3EUpdate%202.%3C%2FP%3E%3CP%3EWe%20figured%20out%20that%20Edge%20fails%20when%20a%20MFA%20is%20used%20for%20authentication%20of%20the%20Microsoft%20account%20(Office365).%3C%2FP%3E%3CP%3EMost%20of%20the%20time%20it%20fails%20to%20recognize%20that%20this%20is%20needed.%26nbsp%3B%3CA%20href%3D%22edge%3A%2F%2Fsync-internals%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eedge%3A%2F%2Fsync-internals%2F%3C%2FA%3E%26nbsp%3Bshows%20that%20all%20the%20connection%20info%20is%20not%20available.%3C%2FP%3E%3CP%3EPitty%2C%20this%20is%20major%20stumbling%20block%20for%20a%20roll-out%20since%20users%20cannot%20fix%20it%20themselves%20either.%3C%2FP%3E%3CP%3EWe%20are%20going%20to%20file%20a%20support%20ticket%20via%20premium%20support%20tomorrow%20morning.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ereg%2C%20Henno%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Some explanation is valid here:

We are currently preparing to roll out Edge Chromium in the coming weeks. In january we ran into a problem that Edge would try to log on a profiel using domain\user, whereas we have a upn of uers@han.nl. A couple of gpo setting fixed that but it went on.

On our managed desktops we roam our user data using VMware UEM, we also created a setting for Edge, which transfers it to a zip fiel while logging of. Local profiles are deleted afterwards.

Info how we dit this is here: https://www.avanite.com/blog/roaming-edge-chromium

What we found: the UEM config is not complete. 

We have 2 variants of users that are stuck:

* Users that cancelled the first run wizard and get a Profile 1 profile. If they want to login with their Work account they get the message:

We can't sign you in right now
The Microsoft Edge Team has been notified of this issue.
Please try again later. Error code: -2146893811

This is with Edge 79 and 80.

* Users that went through the firest run wizard and succesfully signed in could this only once. After logging of the local profile is gone and after logging in the user sees her/his picture in the menu-bar but it does not synch, and cannot be switched on. Sync is greyed out.

If they remove the profile they end up like the other group above.

 I investigated the issue in trying to get Windows to sync it using Enterprise State Roaming (https://docs.microsoft.com/nl-nl/azure/active-directory/devices/enterprise-state-roaming-overview) but that seems to be deliberately broken by Microsoft on domain joined systems:

https://social.technet.microsoft.com/Forums/windows/en-US/e5926328-5f9e-4317-9fb5-8d7f55dec68d/quots...

So syncing the security settings of Edge with MS solutions  seems a dead end, as with UEM.

 

Does anyone have a working solution?

Does anyone know where the AAD logon / Edge data is stored?

 

Thanks in advance.... HELP!!!

Henno

 

2 Replies

Ok. Update:

We worked out that the data for logon on the Microsoft account is destroyed when UEM puts back the profile data.

If we do not do this and remove the Windows profile (as is done on our VMware Horizon machines and most Citrix solutions) and log on again then Edge presents users with the first run wizard, which works.

But that means that Users have to go though this very time, that is stupid.

Has someone worked out how to implement Edge in an environment where Windows profiles are not preserved and a working Azure / Microsoft logon, which is preserved??

This is not rocket science, normal stuff in an Enterprise environment.

Come one Microsoft Edge Team, we need solutions..!

 

Regards, Henno

Update 2.

We figured out that Edge fails when a MFA is used for authentication of the Microsoft account (Office365).

Most of the time it fails to recognize that this is needed. edge://sync-internals/ shows that all the connection info is not available.

Pitty, this is major stumbling block for a roll-out since users cannot fix it themselves either.

We are going to file a support ticket via premium support tomorrow morning.

 

reg, Henno