Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enabled

Copper Contributor

Hello Team,


I'm experiencing a pretty weird issue with Edge on an iPhone 12 (16.5) enrolled in Intune with user affinity. I have an Azure AD user logged into the browser with sync enabled. The user is logged in to all Microsoft apps using the Microsoft Enterprise SSO plug-in for Apple devices.. Here's a .gif of the issue:



Whenever I attempt to login to any website that uses Azure AD as its idP, the browser gets stuck at the login.microsoftonline.com endpoint and eventually enters what appears to be a loop with the Microsoft Authenticator app. This behavior is exclusive to Edge. All other Microsoft apps authenticate the user successfully using the SSO plug-in.


Here are the Intune management settings enabled on the device:


  • Device configuration policy settings
    • Single sign-on app extension is enabled
      • SSO app extension type: Azure AD
      • Additional configuration for single sign-on app extension
        • Merlin_0-1686167976113.png
  • App configuration policy settings for Edge
    • Merlin_1-1686168098727.png


  • App protection policy for all Microsoft apps
    • Merlin_2-1686168309268.pngMerlin_3-1686168327187.png


In addition to those settings, I do also have Safari hidden via a device restrictions policy. The goal is for all users to use Edge only.


Any idea what might be driving this issue?


9 Replies

@Merlin Seems to be a bug. Thought they would fix it with them going GA with the extension.
Add this under "additional configuration" solves it for the time being:





Did you come up with a better solution which didn't involve blocking the use of Edge for SSO? As I am facing the same issue.  Or have you got any other links of pages with some other options. I'm desperately trying to streamline the user experience, always 2 steps fwd, 1 step back...

I believe you can add the following instead of AppBlockList. tested it yesterday at a customer and it seams to be a valid workaround.
AppCookieSSOAllowList com.microsoft.msedge
AppPrefixAllowList com.microsoft.msedge

P.S. we going to submit support case to get it clarified

@nafanja Thank you, I shall give it a go and let you know how I get on!


<update> initial testing seems to be working OK now. Thank you!

@nafanja @alexanderchute @WGravatt,


I was able to fix this issue. Here's what I did:

  • In the automatic device enrollment (ADE) profile, I setup Just in Time Registration. This replaces the Intune Company Portal app as the authentication method for ADE in Intune.
  • In the Device features configuration profile, I removed all additional configurations from the Single sign-on app extension configuration.
  • I then added the following additional configurations.
    • KeyTypeValue


Altogether, this enables Just in Time registration for ADE and allows the SSO extension to work seamlessly. The user must login to the device using modern authentication during the OOBE and then must login to a managed Microsoft application to enable SSO. Microsoft recommends having the user login to Microsoft Teams first "because it's integrated with the latest identity libraries and will provide the most streamlined exp...".


I think this is actually a better user experience for OOBE device enrollment and for SSO. So, it solves two problems at once for us. When using the Company Portal app as the authentication method, we were having issues with the device freezing after OOBE and requiring a forced restart to complete enrollment. Just in Time Registration solved that problem.


I've also had the inpression that using Modern Auth might make a difference, but ...

We had to postpone introduction of Just in Time registration because it doesn't work well yet in scenarios where you require compliance based on Microsoft Defender for Endpoint.

MDE gets installed during enrollment, but the device isn't recognized as compliant until you open MDE

and next to it - from what I've seen so far, zero touch provisioning of MDE also doesn't work well yet when you use Modern Auth during ADE.


authentication with Company Portal requires the least interaction and authentication prompts from the end user at this point...

Understood. We're only licensed for Business Premium at my shop--which doesn't include MDE I don't believe. So I don't have to deal with that...yet. It seems like we're barrelling toward E5 for compliance requirements sometime in the next few years.

which part of the issue do you mean?
I haven't seen this loop recently, at least on devices which were enrolled with modern authentication.