Enable implicit sign-in

Contributor

I tried to get an automatically created work profile on my MS Edge using the 'Enable implicit sign-in' policy.

I'm logged on to the PC with my work AAD account. I deleted all my profiles closed the browser and set the reg.key ImplicitSignInEnabled=1. After starting the browser there is no work profile. I even can not determine any difference in the profile fly-out or settings pane. This is still true, independent from whether I set the reg.key to 0 or 1.

 

Can anybody explain the intended behavior of this policy?

 

Thanks,

Joe

4 Replies

@Johannes Goerlich Hi - I looked in the archive to find background information about this policy and it appears it was created to stop implicit sign in.  Here is the Release Notes for v93 Stable: Archived release notes for Microsoft Edge Stable Channel | Microsoft Docs

 

Kelly_Y_0-1659727386237.png

 

I believe that is why enabling or not configuring the policy will have the same effect.  

 

Also, I do not know if it will specifically create a new profile.  Thanks! 

 

-Kelly

 

 

@Kelly_Y 

Hi @Kelly_Y
the description reads:
"If you enable or don't configure this setting, implicit sign-in will be enabled, Edge will attempt to sign the user into their profile based on what and how they sign in to their OS."

 

Independent from wether I enabled or disable the policy, it always (just) recommends to use my OS account for login:

ImplicitSignInEnabled.pngImplicitSignInEnabled2.png

(browser was restarted of course)

 

Indeed, there is no enforcement or automated account creation.

 

Enabling ImplicitSignInEnabled is a precondition for ConfigureOnPremisesAccountAutoSignIn and NonRemovableProfileEnabled, therefore I'm wondering what exactly is affected by this policy.

 

At https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-identity#automatic-sign-in it says generally "The device is hybrid/AAD-J: ... The user gets automatically signed in with their Azure AD account."

 

BR,

Joe

@Johannes Goerlich Just checking, have you configured the BrowserSignin policy to 'Disable browser sign-in'?  This would cause the policy to have no effect.  

 

Also you mentioned, ConfigureOnPremisesAccountAutoSignIn and NonRemovableProfileEnabled, they won't take effect if ImplicitSignInEnabled is disabled.  

 

I'm not quite sure what your specific goals are but it appears that there are a lot of Identity questions right now :smile:.  I would recommend either reaching out FastTrack or Support, they would be able to work with you one on one and make sure MS Edge is set up and configured for your specific needs.  Thanks! 

 

-Kelly

@Kelly_Y 

 

BrowserSignIn is configured to 'Enable browser sign-in'.

 

I try to understand what a policy is made for by reading its description :smile: and then verify this by testing.
Setting up the browser to enterprise needs is not as easy as one could think, because browser sign-in combines various feature like sync and different SSO capabilities which differ based on Windows Account type and can be controlled by settings, domain patterns and built-in automatisms, which sometimes interfere each other.

 

At the moment I couldn't get my user automatically signed in to a work profile. Even with BrowserSignIn set to "Force users to sign-in to use the browser". Even if I have only one profile and am logged on to Windows with a work account, I always have to manually select an account:

 

forcelogin.png

Whether ImplicitSignInEnabled is set to Enabled or Disabled - same behavior. 


If i remember correctly, when I was testing this stuff with v85, Edge behaved differently and i was automatically signed-in.

 

Best,
Joe

 

P.S.: I'm currently updating our internal policy as well as contributing to the next version of the CIS benchmark for Microsoft Edge.