AAD BrowserSignin on untrusted device and SSO to office.com

%3CLINGO-SUB%20id%3D%22lingo-sub-1637666%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20BrowserSignin%20on%20untrusted%20device%20and%20SSO%20to%20office.com%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1637666%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193575%22%20target%3D%22_blank%22%3E%40Johannes%20Goerlich%3C%2FA%3E%26nbsp%3BThanks%20for%20reaching%20out!%20We've%20looped%20in%20the%20Enterprise%20team%20and%20will%20let%20you%20know%20if%20they%20have%20any%20insights%20to%20share.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CI%3EFawkes%20(they%2Fthem)%3CBR%20%2F%3EProgram%20Manager%20%26amp%3B%20Community%20Manager%20-%20Microsoft%20Edge%3CI%3E%3C%2FI%3E%3C%2FI%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1627566%22%20slang%3D%22en-US%22%3EAAD%20BrowserSignin%20on%20untrusted%20device%20and%20SSO%20to%20office.com%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1627566%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F484598%22%20target%3D%22_blank%22%3E%40fawkes%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F211254%22%20target%3D%22_blank%22%3E%40Avi%20Vaid%3C%2FA%3E%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20issue%20related%20to%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fdiscussions%2Fpassword-protection-for-profiles%2Fm-p%2F1497836%3Fsearch-action-id%3D218356426586%26amp%3Bsearch-result-uid%3D1497836%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fdiscussions%2Fpassword-protection-for-profiles%2Fm-p%2F1497836%3Fsearch-action-id%3D218356426586%26amp%3Bsearch-result-uid%3D1497836%3C%2FA%3E%20which%20i'm%20struggling%20with%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20my%20experience%20browser%20profiles%20are%20always%20signedin%20after%20startup%20of%20Edge%2C%20even%20AAD%20work%20profiles.%3C%2FP%3E%3CP%3EIf%20it%20is%20not%20forbidden%20by%20Conditional%20Access%20as%20described%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fenterprise%2Fazure-ad-conditional-access-for-edge-profile-sign-in%2Fm-p%2F1538339%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fenterprise%2Fazure-ad-conditional-access-for-edge-profile-sign-in%2Fm-p%2F1538339%26nbsp%3B%3C%2FA%3Eto%20logon%20to%20Edge%20on%20untrusted%20devices%20it%20would%20be%20possible%20a%20user%20creates%20a%20work%20profile%20using%20his%20AAD%20credentials%20%2BMFA%20and%20suffer%20from%20SSO%2C%20for%20example%20when%20accessing%20office.com.%3C%2FP%3E%3CP%3EIf%20the%20user%20doesn't%20log%20out%20from%20his%20work%20profile%20he%20will%20still%20be%20logged%20on%20after%20restart%20of%20Edge%20and%20still%20can%20suffer%20from%20SSO%20to%20office.com%20without%20re-authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20couldn't%20find%20any%20information%20if%20there%20is%20some%20kind%20of%20timeout%20for%20re-authentication%20for%20a%20logged%20in%20browser%20profile%20which%20would%20help%20to%20limit%20the%20impact%20of%20the%20described%20scenario%20besides%20enabling%20conditional%20access%20rules%20(and%20for%20sure%20locking%20your%20screen%20whenever%20you%20leave%20your%20computer).%3C%2FP%3E%3CP%3ECould%20you%20help%20me%20out%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%3A%20MS%20Edge%20on%20iOS%20seems%20to%20behave%20different%20to%20Edge%20on%20Win10.%20After%20signin%20into%20my%20work%20profile%20on%20iOS%20i%20still%20have%20to%20authenticate%20when%20accessing%20office.com.%20Maybe%20the%20SSO%20expirience%20is%20not%20fully%20supported%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3EJoe%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1749566%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20BrowserSignin%20on%20untrusted%20device%20and%20SSO%20to%20office.com%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1749566%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F484598%22%20target%3D%22_blank%22%3E%40fawkes%3C%2FA%3E%20any%20news%20on%20that%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1751086%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20BrowserSignin%20on%20untrusted%20device%20and%20SSO%20to%20office.com%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1751086%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193575%22%20target%3D%22_blank%22%3E%40Johannes%20Goerlich%3C%2FA%3E%26nbsp%3B%20Hello!%26nbsp%3B%20Thanks%20for%20reaching%20out!%26nbsp%3B%20We've%20discussed%20your%20question%20with%20the%20team%20and%20the%20scenario%20described%20is%20to%20be%20expected%20and%20is%20by%20design.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20block%20sign%20in%20from%20untrusted%20devices%2C%20the%20team%20recommends%20using%20Conditional%20Access%2C%20like%20you've%20mentioned%20in%20your%20post.%26nbsp%3B%20Please%20see%20our%20documentation%20for%20more%20information%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fdeployedge%252Fms-edge-security-conditional-access%26amp%3Bdata%3D04%257C01%257Cv-keyoko%2540microsoft.com%257Cc01444b235d04c64ded508d86a1c0b1e%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637376015973165350%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DYbAoZIi%252Bd6jXJr9JXg3e2a8iHMBEqP0IPQisitXSFOI%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fms-edge-security-conditional-access%3C%2FA%3E.%26nbsp%3B%20Thanks!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E-Kelly%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello @Deleted and @Avi Vaid

 

Another issue related to https://techcommunity.microsoft.com/t5/discussions/password-protection-for-profiles/m-p/1497836?search-action-id=218356426586&search-result-uid=1497836 which i'm struggling with:

 

From my experience browser profiles are always signedin after startup of Edge, even AAD work profiles.

If it is not forbidden by Conditional Access as described in https://techcommunity.microsoft.com/t5/enterprise/azure-ad-conditional-access-for-edge-profile-sign-in/m-p/1538339 to logon to Edge on untrusted devices it would be possible a user creates a work profile using his AAD credentials +MFA and suffer from SSO, for example when accessing office.com.

If the user doesn't log out from his work profile he will still be logged on after restart of Edge and still can suffer from SSO to office.com without re-authentication.

 

I couldn't find any information if there is some kind of timeout for re-authentication for a logged in browser profile which would help to limit the impact of the described scenario besides enabling conditional access rules (and for sure locking your screen whenever you leave your computer).

Could you help me out?

 

Edit: MS Edge on iOS seems to behave different to Edge on Win10. After signin into my work profile on iOS i still have to authenticate when accessing office.com. Maybe the SSO expirience is not fully supported there.

 

Best regards

Joe

 

3 Replies

@Johannes Goerlich Thanks for reaching out! We've looped in the Enterprise team and will let you know if they have any insights to share.

 

Fawkes (they/them)
Program Manager & Community Manager - Microsoft Edge

@Deleted any news on that?

@Johannes Goerlich  Hello!  Thanks for reaching out!  We've discussed your question with the team and the scenario described is to be expected and is by design.  

 

To block sign in from untrusted devices, the team recommends using Conditional Access, like you've mentioned in your post.  Please see our documentation for more information: https://docs.microsoft.com/en-us/deployedge/ms-edge-security-conditional-access.  Thanks! 

 

-Kelly