Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enabled

Merlin · ‎Jun 07 2023

Hello Team,

I'm experiencing a pretty weird issue with Edge on an iPhone 12 (16.5) enrolled in Intune with user affinity. I have an Azure AD user logged into the browser with sync enabled. The user is logged in to all Microsoft apps using the Microsoft Enterprise SSO plug-in for Apple devices.. Here's a .gif of the issue:

Whenever I attempt to login to any website that uses Azure AD as its idP, the browser gets stuck at the login.microsoftonline.com endpoint and eventually enters what appears to be a loop with the Microsoft Authenticator app. This behavior is exclusive to Edge. All other Microsoft apps authenticate the user successfully using the SSO plug-in.

Here are the Intune management settings enabled on the device:

Device configuration policy settings
- Single sign-on app extension is enabled
  - SSO app extension type: Azure AD
  - Additional configuration for single sign-on app extension
App configuration policy settings for Edge
App protection policy for all Microsoft apps

In addition to those settings, I do also have Safari hidden via a device restrictions policy. The goal is for all users to use Edge only.

Any idea what might be driving this issue?

alexanderchute · ‎Jun 13 2023

@Merlin Seems to be a bug. Thought they would fix it with them going GA with the extension.
Add this under "additional configuration" solves it for the time being:

WGravatt · ‎Jun 26 2023

@Merlin

Did you come up with a better solution which didn't involve blocking the use of Edge for SSO? As I am facing the same issue. Or have you got any other links of pages with some other options. I'm desperately trying to streamline the user experience, always 2 steps fwd, 1 step back...

nafanja · ‎Jun 29 2023

I believe you can add the following instead of AppBlockList. tested it yesterday at a customer and it seams to be a valid workaround.
AppCookieSSOAllowList com.microsoft.msedge
AppPrefixAllowList com.microsoft.msedge

P.S. we going to submit support case to get it clarified

WGravatt · ‎Jun 29 2023

@nafanja Thank you, I shall give it a go and let you know how I get on!

<update> initial testing seems to be working OK now. Thank you!

Merlin · ‎Jun 29 2023

@nafanja @alexanderchute @WGravatt,

I was able to fix this issue. Here's what I did:

In the automatic device enrollment (ADE) profile, I setup Just in Time Registration. This replaces the Intune Company Portal app as the authentication method for ADE in Intune.
In the Device features configuration profile, I removed all additional configurations from the Single sign-on app extension configuration.
I then added the following additional configurations.
- Key Type Value
  AppPrefixAllowList String com.apple.,com.cisco.
  browser_sso_interaction_enabled Integer 1
  disable_explicit_app_prompt Integer 1
  device_registration String {{DEVICEREGISTRATION}}

Altogether, this enables Just in Time registration for ADE and allows the SSO extension to work seamlessly. The user must login to the device using modern authentication during the OOBE and then must login to a managed Microsoft application to enable SSO. Microsoft recommends having the user login to Microsoft Teams first "because it's integrated with the latest identity libraries and will provide the most streamlined exp...".

I think this is actually a better user experience for OOBE device enrollment and for SSO. So, it solves two problems at once for us. When using the Company Portal app as the authentication method, we were having issues with the device freezing after OOBE and requiring a forced restart to complete enrollment. Just in Time Registration solved that problem.

nafanja · ‎Jun 29 2023

@Merlin

I've also had the inpression that using Modern Auth might make a difference, but ...

We had to postpone introduction of Just in Time registration because it doesn't work well yet in scenarios where you require compliance based on Microsoft Defender for Endpoint.

MDE gets installed during enrollment, but the device isn't recognized as compliant until you open MDE

and next to it - from what I've seen so far, zero touch provisioning of MDE also doesn't work well yet when you use Modern Auth during ADE.

authentication with Company Portal requires the least interaction and authentication prompts from the end user at this point...

Merlin · ‎Jun 29 2023

Understood. We're only licensed for Business Premium at my shop--which doesn't include MDE I don't believe. So I don't have to deal with that...yet. It seems like we're barrelling toward E5 for compliance requirements sometime in the next few years.

Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enabled

Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enabled

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

Key	Type	Value
AppPrefixAllowList	String	com.apple.,com.cisco.
browser_sso_interaction_enabled	Integer	1
disable_explicit_app_prompt	Integer	1
device_registration	String	{{DEVICEREGISTRATION}}

Products (52)

Special Topics (28)

Video Hub (447)

Most Active Hubs

Most Active Hubs

Video Hub

Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enabled