Enable implicit sign-in

Brass Contributor

I tried to get an automatically created work profile on my MS Edge using the 'Enable implicit sign-in' policy.

I'm logged on to the PC with my work AAD account. I deleted all my profiles closed the browser and set the reg.key ImplicitSignInEnabled=1. After starting the browser there is no work profile. I even can not determine any difference in the profile fly-out or settings pane. This is still true, independent from whether I set the reg.key to 0 or 1.

 

Can anybody explain the intended behavior of this policy?

 

Thanks,

Joe

8 Replies

@Johannes Goerlich Hi - I looked in the archive to find background information about this policy and it appears it was created to stop implicit sign in.  Here is the Release Notes for v93 Stable: Archived release notes for Microsoft Edge Stable Channel | Microsoft Docs

 

Kelly_Y_0-1659727386237.png

 

I believe that is why enabling or not configuring the policy will have the same effect.  

 

Also, I do not know if it will specifically create a new profile.  Thanks! 

 

-Kelly

 

 

@Kelly_Y 

Hi @Kelly_Y
the description reads:
"If you enable or don't configure this setting, implicit sign-in will be enabled, Edge will attempt to sign the user into their profile based on what and how they sign in to their OS."

 

Independent from wether I enabled or disable the policy, it always (just) recommends to use my OS account for login:

ImplicitSignInEnabled.pngImplicitSignInEnabled2.png

(browser was restarted of course)

 

Indeed, there is no enforcement or automated account creation.

 

Enabling ImplicitSignInEnabled is a precondition for ConfigureOnPremisesAccountAutoSignIn and NonRemovableProfileEnabled, therefore I'm wondering what exactly is affected by this policy.

 

At https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-identity#automatic-sign-in it says generally "The device is hybrid/AAD-J: ... The user gets automatically signed in with their Azure AD account."

 

BR,

Joe

@Johannes Goerlich Just checking, have you configured the BrowserSignin policy to 'Disable browser sign-in'?  This would cause the policy to have no effect.  

 

Also you mentioned, ConfigureOnPremisesAccountAutoSignIn and NonRemovableProfileEnabled, they won't take effect if ImplicitSignInEnabled is disabled.  

 

I'm not quite sure what your specific goals are but it appears that there are a lot of Identity questions right now :smile:.  I would recommend either reaching out FastTrack or Support, they would be able to work with you one on one and make sure MS Edge is set up and configured for your specific needs.  Thanks! 

 

-Kelly

@Kelly_Y 

 

BrowserSignIn is configured to 'Enable browser sign-in'.

 

I try to understand what a policy is made for by reading its description :smile: and then verify this by testing.
Setting up the browser to enterprise needs is not as easy as one could think, because browser sign-in combines various feature like sync and different SSO capabilities which differ based on Windows Account type and can be controlled by settings, domain patterns and built-in automatisms, which sometimes interfere each other.

 

At the moment I couldn't get my user automatically signed in to a work profile. Even with BrowserSignIn set to "Force users to sign-in to use the browser". Even if I have only one profile and am logged on to Windows with a work account, I always have to manually select an account:

 

forcelogin.png

Whether ImplicitSignInEnabled is set to Enabled or Disabled - same behavior. 


If i remember correctly, when I was testing this stuff with v85, Edge behaved differently and i was automatically signed-in.

 

Best,
Joe

 

P.S.: I'm currently updating our internal policy as well as contributing to the next version of the CIS benchmark for Microsoft Edge.

You are on the Edge team and you are not sure her specific goal??? It's quite obvious what her goal is and she said it many times: Have Edge automatically sign in the user's profile into the browser. Your description of the setting is the opposite of what Intune/Endpoint Manager says:

"If you enable or don't configure this setting, implicit sign-in will be enabled, Edge will attempt to sign the user into their profile based on what and how they sign in to their OS. If you disable this setting, implicit sign-in will be disabled."

I can also confirm the setting doesn't work as described.

There's definitely something odd going on with this policy. When it's enabled, a user profile isn't created when a new user launches Edge for the first time. However, it seems to be created automatically the second time they launch it. That doesn't make sense, and I'm pretty sure it's not how the policy used to work.

This is causing problems for us because we make Edge browser extensions which provide web-filtering and other safeguarding functionality for schools. The extensions needs to know who the user is so that they can apply any user-specific rules. Without a user profile, that information isn't available.

In the meantime, we're able to work around the issue by forcing browser sign-in, and restricting the sign-in to a specific pattern. That seems like unnecessary extra complexity though.

With Edge for Business you can use a combination of 2 policies to achieve your Goal, "non-removableprofileenabled" along with "EdgeDefaultProfileEnabled".

Best,
Lawrence

@Lawrence_Barretti 

 

With non-removable profiles we run into the following issue:

https://techcommunity.microsoft.com/t5/enterprise/how-to-get-new-features-while-nonremovableprofilee...

This seems to become a deadlock in certain situations.