Log into Edge Profile with Azure AD account that requires Hybrid AD Join

%3CLINGO-SUB%20id%3D%22lingo-sub-1975759%22%20slang%3D%22en-US%22%3ELog%20into%20Edge%20Profile%20with%20Azure%20AD%20account%20that%20requires%20Hybrid%20AD%20Join%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1975759%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20configured%20our%20tenant%20with%20CA%20to%20require%20Hybrid%20AD%20Joined%20Windows%20devices.%26nbsp%3B%20This%20all%20works%20great%20as%20long%20as%20the%20device%20has%20AzureADPRT%20set%20to%20Yes%2C%20and%20the%20Edge%20browser%20is%20signed%20in%20using%20the%20same%20account%20used%20to%20sign%20into%20Windows.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20if%20e.g.%20as%20an%20admin%20you%20want%20to%20have%20a%20second%20profile%20signed%20in%20using%20your%20admin%20credentials%2C%20then%20even%20just%20logging%20into%20the%20Edge%20profile%20you%20get%20%22you%20cannot%20access%20this%20from%20here%22%2C%20and%20in%20Azure%20AD%20sign%20ins%20you%20can%20see%20that%20no%20device%20information%20was%20passed%2C%20ergo%20not%20classed%20as%20Hybrid%20AD%20Joined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20found%20no%20way%20of%20getting%20around%20this%20without%20taking%20the%20user%20out%20of%20the%20CA%20altogether%20and%20allowing%20access%20from%20unmanaged%20devices.%26nbsp%3B%20Even%20selecting%20only%20the%20workloads%20Teams%2C%20SharePoint%2C%20Exchange%20Online%20it%20will%20still%20block%20Edge%20from%20signing%20in%20the%20second%20user%20account%20into%20it's%20own%20profile.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20how%20this%20is%20meant%20to%20work%2C%20as%20it%20seems%20a%20bit%20silly%20to%20prevent%20signing%20into%20the%20browser%20profile%20itself%2C%20which%20is%20a%20pre-requisite%20to%20being%20able%20to%20check%20if%20the%20device%20is%20compliant%20or%20hybrid%20joined%20in%20the%20first%20place%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

 

We have configured our tenant with CA to require Hybrid AD Joined Windows devices.  This all works great as long as the device has AzureADPRT set to Yes, and the Edge browser is signed in using the same account used to sign into Windows.

 

However, if e.g. as an admin you want to have a second profile signed in using your admin credentials, then even just logging into the Edge profile you get "you cannot access this from here", and in Azure AD sign ins you can see that no device information was passed, ergo not classed as Hybrid AD Joined.

 

I have found no way of getting around this without taking the user out of the CA altogether and allowing access from unmanaged devices.  Even selecting only the workloads Teams, SharePoint, Exchange Online it will still block Edge from signing in the second user account into it's own profile.

 

Does anyone know how this is meant to work, as it seems a bit silly to prevent signing into the browser profile itself, which is a pre-requisite to being able to check if the device is compliant or hybrid joined in the first place?

 

0 Replies