cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enabled

Merlin
Copper Contributor

‎Jun 07 2023 01:14 PM - edited ‎Jun 07 2023 01:30 PM

‎Jun 07 2023 01:14 PM - edited ‎Jun 07 2023 01:30 PM

Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enabled

Hello Team,

 

I'm experiencing a pretty weird issue with Edge on an iPhone 12 (16.5) enrolled in Intune with user affinity. I have an Azure AD user logged into the browser with sync enabled. The user is logged in to all Microsoft apps using the Microsoft Enterprise SSO plug-in for Apple devices.. Here's a .gif of the issue:

LonelyScreen_L3pyN0R8ds.gif

 

Whenever I attempt to login to any website that uses Azure AD as its idP, the browser gets stuck at the login.microsoftonline.com endpoint and eventually enters what appears to be a loop with the Microsoft Authenticator app. This behavior is exclusive to Edge. All other Microsoft apps authenticate the user successfully using the SSO plug-in.

 

Here are the Intune management settings enabled on the device:

 

  • Device configuration policy settings
    • Single sign-on app extension is enabled
      • SSO app extension type: Azure AD
      • Additional configuration for single sign-on app extension
        • Merlin_0-1686167976113.png
  • App configuration policy settings for Edge
    • Merlin_1-1686168098727.png

       

  • App protection policy for all Microsoft apps
    • Merlin_2-1686168309268.pngMerlin_3-1686168327187.png

       

In addition to those settings, I do also have Safari hidden via a device restrictions policy. The goal is for all users to use Edge only.

 

Any idea what might be driving this issue?

 

Labels:
3,105 Views
0 Likes
9 Replies
Reply
9 Replies
alexanderchute

‎Jun 13 2023 03:55 AM

‎Jun 13 2023 03:55 AM

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

@Merlin Seems to be a bug. Thought they would fix it with them going GA with the extension.
Add this under "additional configuration" solves it for the time being:

alexanderchute_0-1686653723428.png

 

0 Likes
Reply
WGravatt

‎Jun 26 2023 12:32 PM

‎Jun 26 2023 12:32 PM

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

@Merlin 

 

Did you come up with a better solution which didn't involve blocking the use of Edge for SSO? As I am facing the same issue.  Or have you got any other links of pages with some other options. I'm desperately trying to streamline the user experience, always 2 steps fwd, 1 step back...

0 Likes
Reply
nafanja

‎Jun 29 2023 01:16 AM

‎Jun 29 2023 01:16 AM

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

I believe you can add the following instead of AppBlockList. tested it yesterday at a customer and it seams to be a valid workaround.
AppCookieSSOAllowList com.microsoft.msedge
AppPrefixAllowList com.microsoft.msedge

P.S. we going to submit support case to get it clarified
0 Likes
Reply
WGravatt

‎Jun 29 2023 04:57 AM - edited ‎Jun 29 2023 05:16 AM

‎Jun 29 2023 04:57 AM - edited ‎Jun 29 2023 05:16 AM

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

@nafanja Thank you, I shall give it a go and let you know how I get on!

 

<update> initial testing seems to be working OK now. Thank you!

0 Likes
Reply
Merlin

‎Jun 29 2023 05:41 AM - edited ‎Jun 29 2023 05:43 AM

‎Jun 29 2023 05:41 AM - edited ‎Jun 29 2023 05:43 AM

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

@nafanja @alexanderchute @WGravatt,

 

I was able to fix this issue. Here's what I did:

  • In the automatic device enrollment (ADE) profile, I setup Just in Time Registration. This replaces the Intune Company Portal app as the authentication method for ADE in Intune.
  • In the Device features configuration profile, I removed all additional configurations from the Single sign-on app extension configuration.
  • I then added the following additional configurations.
    • KeyTypeValue
      AppPrefixAllowListStringcom.apple.,com.cisco.
      browser_sso_interaction_enabledInteger1
      disable_explicit_app_promptInteger1
      device_registrationString{{DEVICEREGISTRATION}}

       

Altogether, this enables Just in Time registration for ADE and allows the SSO extension to work seamlessly. The user must login to the device using modern authentication during the OOBE and then must login to a managed Microsoft application to enable SSO. Microsoft recommends having the user login to Microsoft Teams first "because it's integrated with the latest identity libraries and will provide the most streamlined exp...".

 

I think this is actually a better user experience for OOBE device enrollment and for SSO. So, it solves two problems at once for us. When using the Company Portal app as the authentication method, we were having issues with the device freezing after OOBE and requiring a forced restart to complete enrollment. Just in Time Registration solved that problem.

0 Likes
Reply
nafanja

‎Jun 29 2023 05:51 AM

‎Jun 29 2023 05:51 AM

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

@Merlin 

I've also had the inpression that using Modern Auth might make a difference, but ...

We had to postpone introduction of Just in Time registration because it doesn't work well yet in scenarios where you require compliance based on Microsoft Defender for Endpoint.

MDE gets installed during enrollment, but the device isn't recognized as compliant until you open MDE

and next to it - from what I've seen so far, zero touch provisioning of MDE also doesn't work well yet when you use Modern Auth during ADE.

 

authentication with Company Portal requires the least interaction and authentication prompts from the end user at this point...

0 Likes
Reply
Merlin

‎Jun 29 2023 05:57 AM

‎Jun 29 2023 05:57 AM

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

Understood. We're only licensed for Business Premium at my shop--which doesn't include MDE I don't believe. So I don't have to deal with that...yet. It seems like we're barrelling toward E5 for compliance requirements sometime in the next few years.

0 Likes
Reply
jakeatwilliams

‎Apr 08 2024 10:39 AM

‎Apr 08 2024 10:39 AM

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

Ever get anywhere with support on this?
0 Likes
Reply
nafanja

‎Apr 08 2024 01:38 PM

‎Apr 08 2024 01:38 PM

Re: Edge iOS authentication loop on Intune-managed device with Microsoft Enterprise SSO plug-in enab

which part of the issue do you mean?
I haven't seen this loop recently, at least on devices which were enrolled with modern authentication.
0 Likes
Reply