cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cannot login to Edge in AD hybrid setup with Azure AD and roaming profiles

pvlier
Copper Contributor

‎Oct 11 2021 04:15 PM - edited ‎Oct 11 2021 04:23 PM

‎Oct 11 2021 04:15 PM - edited ‎Oct 11 2021 04:23 PM

Cannot login to Edge in AD hybrid setup with Azure AD and roaming profiles

Situation:

  • Server 2019 with local domains and azure AD connect to MS365 tenant
  • DC contains custom suffix that matches primary domain
  • 50+ users that work on multiple computers in the company have a local domain account and ms365 account with business premium license (cloud users synced from onpremise ad)
  • Users logon to the local domain using their MS365 emailadddress, single sign on kicks in so they can login to MS sites without entering credentials

 

Problem

The problem is the following:

 

When a roaming user logs in at a computer for the first time they can open https://portal.office.com  without enterying credentials so SSO is working. Then they open edge and try to login using their azure ad account to setup synchronization. When succeeding, the sync is enabled and favorites in the favorites bar are visible. This also adds a microsoft account to 'access to work and school' (the local AD is already present). However, more and more users complain that the login-button in edge does nothing (some claim they see the login screen flash very quickly). We have a testlab and replicated the problem. The user logs in with a roaming profile and when opening edge, nothing seems to happen when clicking the login-button.

 

Workarounds
We searched the internet and found 2 workarounds:

- kill all edge processes, delete the edge folder in appdata and run edge in win7 compatibility mode. Then we get a login screen and can complete login. After this edge resets the compatibility mode itself so when start edge the next time it runs normal. Sync is still working.

- Run edge with the --force-oneauth parameters. This forces the loginscreen to appear and we can complete the login and sync is enabled. When we close and run edge without the parameters, sync and login does not work anymore

 

We are runnning a script to automate the first workaround multiple times a day as users are roaming from computer to computer. So we need to fix this instead of applying workarounds. Could the combination of edge + azure account and roaming profiles be a problem? And even if it is, how can we fix this?

 

Additional info

The testlab computer has the following setup:

Windows 10 build 19043

Edge 94.0.992.47

 

I tried to create a microsoft tickets but it seems this needs a paid support contract....

3,373 Views
0 Likes
2 Replies
Reply
2 Replies
Kelly_Y

‎Oct 12 2021 04:06 PM

‎Oct 12 2021 04:06 PM

Re: Cannot login to Edge in AD hybrid setup with Azure AD and roaming profiles

@pvlier Hello!  I'm not sure if you are running into the exact same issue but we had a previous thread on Tech Community which might be similar. 

 

Users had issues with on-premises sync when they were getting implicit sign-in with their MSA or AAD accounts instead.  (Edge 86.0.622.58 On-premises Sync Not Working Over VPN With Cached Local Login - Microsoft Tech Comm...).  Here is the policy that was created to address the issue: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#onlyonpremisesimplicitsigninenab...

 

Let us know if this does not help or your scenario is different.  Thanks!

 

-Kelly

0 Likes
Reply
Henno_Keers

‎Oct 14 2021 01:05 AM

‎Oct 14 2021 01:05 AM

Re: Cannot login to Edge in AD hybrid setup with Azure AD and roaming profiles

Hi,
We have been struggling with the above issue since we have been using Edge Chromium (version 80).
We had a case open with Microsoft in February last year, just before lockdown.
It was getting clearer that what we wanted: AAD logon and Azure logon at the same time was going to be a challenge.
To make things more complicated: we are using VMware DEM for roaming data on managed on-prem systems and virtual machines.
This gives a bit more flexibility but a lot more reverse engineering and, if you are not careful, finger-pointing between MS and VM.
We ran in the above issue, no logon prompt coming up in Edge, with the introduction of Windows 10 20H2. Before that we had 1909, which did not have the issue.
Running Edge in Compat mode of with the --oneauth parameter is a workaround.
The problem can be seen on edge://signin-internals/ where you get a token error when things are not right with a gives token errors with a given Account ID.
This is where the complexity starts. On on-prem managed systems the Account ID is the same as the AAD OID Guid.
On intune laptops the Account ID is different then the OID.
With the --onauth parameter the authentication info is stored in LocalAppData\Onauth, in files with the same name as the OID. Without the parameter these files are not used but we have not found (yet) where they are kept.
We did found out that deleting the whole Windows profile (lots of DEM zip files) resets it all and then you are prompted by Edge for a logon, and it keeps the settings.
That is our status so far.

Regards, Henno
0 Likes
Reply