cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AAD BrowserSignin on untrusted device and SSO to office.com

Johannes Goerlich
Brass Contributor

‎Sep 02 2020 04:28 AM - edited ‎Oct 06 2020 08:04 AM

‎Sep 02 2020 04:28 AM - edited ‎Oct 06 2020 08:04 AM

AAD BrowserSignin on untrusted device and SSO to office.com

Hello @Deleted and @Avi Vaid

 

Another issue related to https://techcommunity.microsoft.com/t5/discussions/password-protection-for-profiles/m-p/1497836?search-action-id=218356426586&search-result-uid=1497836 which i'm struggling with:

 

From my experience browser profiles are always signedin after startup of Edge, even AAD work profiles.

If it is not forbidden by Conditional Access as described in https://techcommunity.microsoft.com/t5/enterprise/azure-ad-conditional-access-for-edge-profile-sign-in/m-p/1538339 to logon to Edge on untrusted devices it would be possible a user creates a work profile using his AAD credentials +MFA and suffer from SSO, for example when accessing office.com.

If the user doesn't log out from his work profile he will still be logged on after restart of Edge and still can suffer from SSO to office.com without re-authentication.

 

I couldn't find any information if there is some kind of timeout for re-authentication for a logged in browser profile which would help to limit the impact of the described scenario besides enabling conditional access rules (and for sure locking your screen whenever you leave your computer).

Could you help me out?

 

Edit: MS Edge on iOS seems to behave different to Edge on Win10. After signin into my work profile on iOS i still have to authenticate when accessing office.com. Maybe the SSO expirience is not fully supported there.

 

Best regards

Joe

 

2,064 Views
0 Likes
3 Replies
Reply
3 Replies

‎Sep 04 2020 05:39 PM

‎Sep 04 2020 05:39 PM

Re: AAD BrowserSignin on untrusted device and SSO to office.com

@Johannes Goerlich Thanks for reaching out! We've looped in the Enterprise team and will let you know if they have any insights to share.

 

Fawkes (they/them)
Program Manager & Community Manager - Microsoft Edge

0 Likes
Reply
Johannes Goerlich

‎Oct 06 2020 08:05 AM

‎Oct 06 2020 08:05 AM

Re: AAD BrowserSignin on untrusted device and SSO to office.com

@Deleted any news on that?
0 Likes
Reply
Kelly_Y

‎Oct 06 2020 01:17 PM

‎Oct 06 2020 01:17 PM

Re: AAD BrowserSignin on untrusted device and SSO to office.com

@Johannes Goerlich  Hello!  Thanks for reaching out!  We've discussed your question with the team and the scenario described is to be expected and is by design.  

 

To block sign in from untrusted devices, the team recommends using Conditional Access, like you've mentioned in your post.  Please see our documentation for more information: https://docs.microsoft.com/en-us/deployedge/ms-edge-security-conditional-access.  Thanks! 

 

-Kelly

0 Likes
Reply