Forum Discussion
Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enabled
Merlin Seems to be a bug. Thought they would fix it with them going GA with the extension.
Add this under "additional configuration" solves it for the time being:
Did you come up with a better solution which didn't involve blocking the use of Edge for SSO? As I am facing the same issue. Or have you got any other links of pages with some other options. I'm desperately trying to streamline the user experience, always 2 steps fwd, 1 step back...
nafanja alexanderchute WGravatt,
I was able to fix this issue. Here's what I did:
- In the automatic device enrollment (ADE) profile, I setup https://learn.microsoft.com/en-us/mem/intune/enrollment/automated-device-enrollment-authentication#set-up-just-in-time-registration This replaces the Intune Company Portal app as the authentication method for ADE in Intune.
- In the Device features configuration profile, I removed all additional configurations from the Single sign-on app extension configuration.
- I then added the following additional configurations.
Key Type Value AppPrefixAllowList String com.apple.,com.cisco. browser_sso_interaction_enabled Integer 1 disable_explicit_app_prompt Integer 1 device_registration String {{DEVICEREGISTRATION}}
Altogether, this enables Just in Time registration for ADE and allows the SSO extension to work seamlessly. The user must login to the device using modern authentication during the OOBE and then must login to a managed Microsoft application to enable SSO. Microsoft recommends having the user login to Microsoft Teams first "https://learn.microsoft.com/en-us/mem/intune/enrollment/automated-device-enrollment-authentication#best-practices-for-sso-configuration".
I think this is actually a better user experience for OOBE device enrollment and for SSO. So, it solves two problems at once for us. When using the Company Portal app as the authentication method, we were having issues with the device freezing after OOBE and requiring a forced restart to complete enrollment. Just in Time Registration solved that problem.
I've also had the inpression that using Modern Auth might make a difference, but ...
We had to postpone introduction of Just in Time registration because it doesn't work well yet in scenarios where you require compliance based on Microsoft Defender for Endpoint.
MDE gets installed during enrollment, but the device isn't recognized as compliant until you open MDE
and next to it - from what I've seen so far, zero touch provisioning of MDE also doesn't work well yet when you use Modern Auth during ADE.
authentication with Company Portal requires the least interaction and authentication prompts from the end user at this point...
- Understood. We're only licensed for Business Premium at my shop--which doesn't include MDE I don't believe. So I don't have to deal with that...yet. It seems like we're barrelling toward E5 for compliance requirements sometime in the next few years.
- I believe you can add the following instead of AppBlockList. tested it yesterday at a customer and it seams to be a valid workaround.
AppCookieSSOAllowList com.microsoft.msedge
AppPrefixAllowList com.microsoft.msedge
P.S. we going to submit support case to get it clarified- Ever get anywhere with support on this?
- which part of the issue do you mean?
I haven't seen this loop recently, at least on devices which were enrolled with modern authentication.
