Edge Sync and login to Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-1324231%22%20slang%3D%22de-DE%22%3EEdge%20Sync%20and%20login%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1324231%22%20slang%3D%22de-DE%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20running%20a%20terminal%20server%20farm%20based%20on%20Server%202019%20with%20Edge%20version%2081.%20We%20do%20have%20an%20adfs%20infrastructure%20with%20azure%20ad.%20We%20want%20to%20automate%20the%20login%20process%20and%20synchronization%20of%20the%20favorites%20for%20our%20users.%3C%2FP%3E%3CP%3EWe%20are%20having%20Problems%20with%20the%20following%20Points%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EHow%20can%20we%20enable%20the%20Auto%20Login%20for%20users%3F%20The%20are%20currently%20automated%20loged%20in%20with%20the%20Domain-username%20format.%20How%20can%20we%20cahnge%20this%20to%20the%20upn%20Format%3F%3C%2FLI%3E%3CLI%3EWhile%20the%20Manual%20Login%20process%20the%20user%20has%20to%20answer%20two%20quetions%3COL%3E%3CLI%3EDo%20you%20want%20to%20sign%20in%20with%20a%20Microsoft%20account%20or%20with%20a%20business%20account.%20How%20can%20we%20set%20this%20Dialog%20to%20Business%20only%20or%20disable%20this%20Dialog%3F%3C%2FLI%3E%3CLI%3EThe%20user%20has%20the%20ability%20to%20add%20the%20device%20to%20azure%20ad.%20How%20can%20we%20disable%20this%20dialogue%3F%3C%2FLI%3E%3CLI%3E%26nbsp%3B%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3EThank%20you%20for%20your%20help%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStefan%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1327669%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Sync%20and%20login%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1327669%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573398%22%20target%3D%22_blank%22%3E%40Moelli%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'll%20use%20your%20points%20to%20answer%3A%3C%2FP%3E%3CP%3E1)%3C%2FP%3E%3CP%3EYou%20can%20set%20this%20in%20the%20user%20object%20in%20your%20onprem%20AD%20in%20the%20account%20tab%2C%20right%20beside%20the%20account%20name%20you%20can%20enter%26nbsp%3B%40domain.topdomain%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%3C%2FP%3E%3CP%3E1)%20You%20can't%20change%20the%20dialog%20box%20but%20you%20can%20force%20by%20GPO%20setting%20that%20the%20user%20only%20can%20logon%20with%26nbsp%3B%40domain.topdomain%3C%2FP%3E%3CP%3E2)%20I%20don't%20know.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ereg%2C%20Henno%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1327709%22%20slang%3D%22de-DE%22%3ERe%3A%20Edge%20Sync%20and%20login%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1327709%22%20slang%3D%22de-DE%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20ffor%20your%20reply%2C%20we%20already%20have%20set%20the%20upn%20logon%20name%20in%20the%20on%20prem%20ad%20to%20the%20correct%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStefan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1327729%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Sync%20and%20login%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1327729%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573398%22%20target%3D%22_blank%22%3E%40Moelli%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)1)%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23restrictsignintopattern%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23restrictsignintopattern%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364430%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Sync%20and%20login%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364430%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573398%22%20target%3D%22_blank%22%3E%40Moelli%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20there%2C%20were%20you%20able%20to%20get%20this%20configured%3F%20We're%20having%20the%20same%20challenges%20and%20I've%20yet%20to%20find%20the%20proper%20way%20of%20doing%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1366072%22%20slang%3D%22de-DE%22%3ERe%3A%20Edge%20Sync%20and%20login%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1366072%22%20slang%3D%22de-DE%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F658097%22%20target%3D%22_blank%22%3E%40Ed_Gonz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%20Ed%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20have%20stopped%20investigating%20this%20issue%2C%20we%20have%20written%20an%20instruction%20for%20our%20users%20how%20to%20configure%20the%20synchronization%20in%20Edge.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20very%20disapointed%20about%20this%20solution%20and%20how%20microsoft%20is%20%22improving%22%20simple%20solutions%20like%20the%20ie%20favorites.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStefan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1366074%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Sync%20and%20login%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1366074%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F658097%22%20target%3D%22_blank%22%3E%40Ed_Gonz%3C%2FA%3E%26nbsp%3BYou%20have%20to%20modify%20the%20user%20agent%20string%20configuration%20on%20on-prem%20ADFS%20as%20described%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-security-identity%23windows-integrated-authentication-wia%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-security-identity%23windows-integrated-authentication-wia%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3ETo%20support%20WIA-based%20SSO%20on%20Microsoft%20Edge%20(version%2077%20and%20later)%2C%20you%20might%20also%20have%20to%20do%20some%20server-side%20configuration.%20You%20will%20probably%20have%20to%20configure%20the%20ADFS%20property%26nbsp%3B%3CSTRONG%3EWiaSupportedUserAgents%3C%2FSTRONG%3E%26nbsp%3Bto%20add%20support%20for%20the%20new%20Microsoft%20Edge%20user%20agent%20string.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20that%20modification%20it%20worked%20in%20our%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1366075%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Sync%20and%20login%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1366075%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573398%22%20target%3D%22_blank%22%3E%40Moelli%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20have%20to%20modify%20the%20user%20agent%20string%20configuration%20on%20on-prem%20ADFS%20as%20described%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-security-identity%23windows-integrated-authentication-wia%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-security-identity%23windows-integrated-auth...%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3ETo%20support%20WIA-based%20SSO%20on%20Microsoft%20Edge%20(version%2077%20and%20later)%2C%20you%20might%20also%20have%20to%20do%20some%20server-side%20configuration.%20You%20will%20probably%20have%20to%20configure%20the%20ADFS%20property%26nbsp%3B%3CSTRONG%3EWiaSupportedUserAgents%3C%2FSTRONG%3E%26nbsp%3Bto%20add%20support%20for%20the%20new%20Microsoft%20Edge%20user%20agent%20string.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20that%20modification%20it%20worked%20in%20our%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1369255%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Sync%20and%20login%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369255%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355230%22%20target%3D%22_blank%22%3E%40stesch79%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20think%20this%20is%20the%20same%20that%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573398%22%20target%3D%22_blank%22%3E%40Moelli%3C%2FA%3E%26nbsp%3Band%20I%20are%20looking%20for.%20We%20want%2C%20at%20least%20in%20my%20case%2C%20that%20when%20our%20users%20run%20MS%20Edge%20Chromium%2C%20that%20it%20automatically%20logs%20in%20to%20their%20Azure%20AD%20account%20instead%20of%20their%20DOMAIN%5CUserName%20-%20this%20allows%20users%20to%20sync%20favorites.%20That's%20basically%20what%20I'm%20after%20for%20my%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1953453%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Sync%20and%20login%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1953453%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573398%22%20target%3D%22_blank%22%3E%40Moelli%3C%2FA%3E%26nbsp%3BHave%20you%20figure%20this%20out%3F%26nbsp%3B%20I%20am%20having%20the%20same%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EHere%20is%20my%20situation.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EWe%20have%20VDIs%20that%20we%20want%20users%20to%20login%20using%20their%20%3CUSERNAME%3E%40%3CCOMPANYNAME%3E.com.%20but%20the%20way%20I%20have%20the%20GPO%20set%20up%20it%20always%20forces%20them%20to%20either%20login%20to%20Edge%20as%20%3CDOMAIN%3E%5C%3CADNAME%3E.%20Or%20it%20forces%20them%20to%20type%20it%20themselves%20(which%20we%20want%20this%20to%20be%20automated)%3C%2FADNAME%3E%3C%2FDOMAIN%3E%3C%2FCOMPANYNAME%3E%3C%2FUSERNAME%3E%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EOur%20VDI%20pool%20delete%20itself%20after%20they%20logoff%20or%20shutdown%20(non-persistent)%2C%20so%20this%20is%20why%20we%20want%20it%20automated.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EOur%20current%20Windows%2010%20PC%2C%20people%20login%20using%20their%20%3CUSERNAME%3E%40%3CCOMPANYNAME%3E.com%20method%20and%20they%20can't%20sync%20their%20user%20data%20once%20they%20move%20to%20a%20virtual%20desktop%20when%20it%20is%20logging%20them%20in%20%3CDOMAIN%3E%5C%3CADNAME%3E.%3C%2FADNAME%3E%3C%2FDOMAIN%3E%3C%2FCOMPANYNAME%3E%3C%2FUSERNAME%3E%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EIs%20there%20a%20GPO%20I%20am%20not%20finding%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

we are running a terminal Server farm based on Server 2019 with Edge Version 81. We do have a adfs infrastructure with azure ad. We want to automate the Login process and Synchronisation of the favorites for our users.

We are having Problems with the following Points:

 

  1. How can we enable the Auto Login for users? The are currently automated loged in with the Domain\username Format. How can we cahnge this to the upn Format?
  2. While the Manual Login process the user has to answer two quetions
    1. Do you want to sign in with a Microsoft-account or with a Business account. How can we set this Dialog to Business only or disable this Dialog?
    2. The User has the ability to add the device to azure ad. How can we disable this Dialog?
    3.  

Thank you for your help

 

Stefan 

8 Replies

@Moelli 

I'll use your points to answer:

1)

You can set this in the user object in your onprem AD in the account tab, right beside the account name you can enter @domain.topdomain

 

2)

1) You can't change the dialog box but you can force by GPO setting that the user only can logon with @domain.topdomain

2) I don't know.

 

reg, Henno

Hi,

 

Thanks ffor your reply, we already have set the upn logon name in the on prem ad to the correct domain.

 

 

Best regards

 

Stefan

 

@Moelli 

 

Hi there, were you able to get this configured? We're having the same challenges and I've yet to find the proper way of doing this.

 

Thanks!

@Ed_Gonz 

Hello Ed,

 

we have stoped investigating this issue, we have written an instruction for our users how to configure the synchronisation in Edge.

 

We are very disapointed about this solution and how microsoft is "improving" simple solutions like the ie favorites.

 

Best regards

 

Stefan

@Moelli 

 

 

You have to modify the user agent string configuration on on-prem ADFS as described here: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-identity#windows-integrated-auth...

 

To support WIA-based SSO on Microsoft Edge (version 77 and later), you might also have to do some server-side configuration. You will probably have to configure the ADFS property WiaSupportedUserAgents to add support for the new Microsoft Edge user agent string.

 

After that modification it worked in our environment.

@stesch79 

 

I don't think this is the same that @Moelli and I are looking for. We want, at least in my case, that when our users run MS Edge Chromium, that it automatically logs in to their Azure AD account instead of their DOMAIN\UserName - this allows users to sync favorites. That's basically what I'm after for my users.

@Moelli Have you figure this out?  I am having the same issue.

 

Here is my situation.

We have VDIs that we want users to login using their <username>@<companyname>.com. but the way I have the GPO set up it always forces them to either login to Edge as <domain>\<ADname>. Or it forces them to type it themselves (which we want this to be automated)

Our VDI pool delete itself after they logoff or shutdown (non-persistent), so this is why we want it automated.

 

Our current Windows 10 PC, people login using their <username>@<companyname>.com method and they can't sync their user data once they move to a virtual desktop when it is logging them in <domain>\<ADname>.

Is there a GPO I am not finding??