Home

Edge Support for SSO

%3CLINGO-SUB%20id%3D%22lingo-sub-96302%22%20slang%3D%22en-US%22%3EEdge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96302%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20any%20work%20being%20done%20to%20suport%20Office%20365%20Passthrough%20Authentication%20SSO%20with%20Edge%3F%20It%20is%20still%20not%20supported%20while%20Chrome%2C%20IE%20and%20Firefox%20are.%20This%20is%20a%20bummer%20for%20Orgs%20deploying%20Win10.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-364095%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-364095%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20is%20the%20end%20of%20edge%2C%20so%E2%80%A6.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20best%20way%20is%20to%20deploy%20Firefox%20and%20use%20seamless%20SSO%2C%20i%20think%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-364091%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-364091%22%20slang%3D%22en-US%22%3E%3CP%3EI%20find%20it%20incredible%20that%20its%20March%202019%20and%20still%20no%20AAD%20Seamless%20SSO%20for%20Edge%20without%20having%20to%20have%20your%20Win%2010%20machine%20AAD%20joined!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20at%20Microsoft%20(or%20otherwise)%20shed%20any%20light%20on%20why%20this%20is%20the%20case%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20further%20questions%2Fcomments%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20MS%20documentation%20talks%20about%20machines%20being%20AAD%20joined%20but%20also%20Hybrid%20AAD%20joined%20(where%20the%20win%2010%20machine%26nbsp%3Bis%20also%26nbsp%3BAD%20joined).%26nbsp%3B%20I%20can't%20immediately%20tell%20if%20a%20win%2010%20machine%20that%20is%20already%20AD%20joined%20can%20then%20be%20AAD%20joined%20WITHOUT%20it%20them%20being%20considered%20to%20be%20%22Hybrid%20AAD%20joined%22.%26nbsp%3B%20Hybrid%20AAD%20joined%20has%20some%20potential%20repercussions%20for%20us%20and%20it%20would%20be%20good%20to%20clearly%20understand%20if%20a%20machine%20can%20be%20AD%20and%20AAD%20joined%20simultaneously%20without%20it%20being%20Hybrid%20AAD%20joined%20(along%20with%20all%20the%20AAD%20Connect%20and%20computer%20object%20sync%20that%20goes%20with%20that%20concept).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20With%20respect%20to%20Edge%20moving%20to%20using%20the%20chromium%20engine%3A%26nbsp%3B%20Is%20there%20any%20hint%20that%20AAD%20Seamless%20SSO%20may%20make%20an%20appearance%20with%20that%20change%2C%20to%20match%20the%20fact%20that%20Chrome%20can%20undertake%20AAD%20Seamless%20SSO%3F%26nbsp%3B%20(something%20that%20seems%20%22challenging%22%20to%20MS%20for%20their%20own%20browser)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20lack%20of%20AAD%20Seamless%20SSO%20support%20for%20Edge%20is%20another%20nail%20in%20the%20coffin%20for%20Edge%20being%20considered%20by%20us%20as%20our%20default%20browser%20moving%20forward.....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292834%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292834%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20confirming%20that%20for%20me%20at%20least%2C%20if%20the%20device%20is%26nbsp%3B%3CSTRONG%3EAzure%20AD%20Registered%3C%2FSTRONG%3E%2C%20you%20get%20SSO%20with%20Edge.%20If%20not%2C%20it%20will%20ask%20for%20password.%20I've%20also%20experienced%20that%20the%20device%20was%20Azure%20AD%20Registered%20but%20still%20no%20SSO%20and%20when%20starting%20Outlook%20it%20wanted%20me%20to%20confirm%20the%20Azure%20AD%20Registration%20so%20it%20could%20be%20that%20it%20suddenly%20lost%20the%20registration%20and%20therefore%20not%20giving%20SSO%20because%20once%20confirming%20the%20registration%20I%20got%20SSO%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20assume%20that%26nbsp%3B%3CSTRONG%3EHybrid%20Azure%20AD%20joined%3C%2FSTRONG%3E%20will%20give%20an%20SSO%20experience%20with%20Edge.%20I%20will%20try%20this%20and%20report%20back%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20of%20course%2C%20best%20would%20be%20to%20also%20let%20Edge%20have%20SSO%20support.%20Don't%20know%20what%20is%20taking...%20Even%20though%20we%20see%20most%20customers%20running%20hybrid%20with%20Azure%20AD%20Connect%20also%20have%20their%20devices%20Azure%20AD%20Registered%20or%20Hybrid%20Azure%20AD%20joined.%20Some%20problem%20for%20downlevel%20clients%20but%20we%20more%20or%20less%20say%20that%20you%20need%20Windows%2010%20for%20the%20best%20experience%20in%20Microsoft%20Cloud...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-201286%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-201286%22%20slang%3D%22en-US%22%3E%3CP%3Eno%20edge%20is%20not%20yet%20supported.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20first%20time%20you%20launch%20edge%2C%20it%20ask%20for%20login%20and%20password.%20For%20next%20time%2C%20maybe%2C%20edge%20can%20remeber%20but%20it%20is%20not%20supported%20like%20IE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-175846%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175846%22%20slang%3D%22en-US%22%3E%3CP%3EBelieve%20or%20not%20believe%2C%20still%20Microsoft%20did%20not%20solve%20this%20issue%3F%20Is%20from%20last%20year.%20I%20was%20interested%20in%20implement%20Seamless%20SSO%20but%20is%20not%20support%20Edge%20this%20is%20a%20problem.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174300%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174300%22%20slang%3D%22en-US%22%3E%3CP%3EYours%20works%20because%20you%20have%20registered%20your%20workstations%20with%20Azure%20and%20your%20using%20ad%20connect%20not%20Azure%20AD%20Connect.%20They%20are%20two%20different%20software%20products.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-173149%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-173149%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20appears%20to%20be%20working%20for%20me.%20I%20have%20AD%20Connect%20with%20SSO%20configured%20on%20an%20on-premise%20AD%20server%20(2012R2)%20and%20that%20is%20syncing%20with%20an%20Office%20365%20tenancy%20(Education).%20I%20have%20a%20Win10%20Education%20(1709)%20virtual%20machine%20(VM)%20which%20is%20joined%20AND%20registered%20in%20the%20Azure%20AD%20of%20the%20Office%20365%20tenancy%20via%20AD%20Connect.%20The%20join%20appears%20to%20take%20place%20once%20the%20Win10%20VM%20has%20joined%20the%20local%20AD%20domain%2C%20made%20some%20sort%20of%20connection%20(or%20attempted)%20to%20an%20Office%20365%20login%20URL%2C%20and%20an%20AD%20Connect%20sync%20cycle%20has%20run.%20No%20particular%20user%20needs%20to%20be%20logged%20in%20to%20the%20Win10%20VM%20for%20that%20to%20happen.%20Registration%20appears%20to%20happen%20once%20the%20Win10%20VM%20has%20%3CSPAN%3Emade%20some%20sort%20of%20connection%20(or%20attempted)%20to%20an%20Office%20365%20login%20URL%20while%20a%20domain%20user%20is%20logged%20in%20that%20is%20having%20their%20account%20synced%20with%20Azure%20AD%20via%20AD%20Connect%2C%20and%20an%20AD%20Connect%20sync%20cycle%20has%20run.%20DSRegCmd.exe%20is%20a%20useful%20command%20to%20run%20on%20the%20Win10%20client%20to%20check%20if%20join%20and%20registration%20is%20successful%2C%20besides%20seeing%20what%20has%20appeared%20in%20your%20Devices%20area%20in%20the%20Azure%20AD%20admin%20console.%20WamDefaultSet%3DYes%20seems%20to%20be%20the%20value%20you%20need%20to%20see%20via%20DsRegCmd%20to%20know%20that%20registration%20is%20successful.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EOnce%20the%20Win10%20client%20has%20registered%20successfully%2C%20I%20am%20finding%20that%20opening%20Edge%20and%20going%20to%20portal.office.com%20results%20in%20that%20user%20being%20signed%20in%20without%20the%20need%20to%20enter%20a%20username%20or%20password.%20I%20also%20see%20that%20the%20account%20is%20shown%20in%20the%20settings%20area%20in%20Edge.%20And%20once%20the%20registration%20has%20been%20successful%20for%20the%20Win10%20client%2C%20any%20subsequent%20user%20logging%20on%20to%20that%20computer%20will%20also%20experience%20this%20Seamless%20Single%20Sign-on%20to%20Office%20365%2C%20using%20Edge%20or%20IE.%20Chrome%20seems%20to%20always%20prompt%20for%20a%20username.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI'd%20be%20interested%20to%20know%20if%20anyone%20else%20is%20getting%20this%20to%20work%2C%20as%20my%20testing%20is%20fairly%20limited%3A%20a%20single%20tenancy%20and%20local%20AD%2C%20a%20couple%20of%20Win10%20VMs%20and%20a%20few%20users.%20And%20I%20know%20it%20shouldn't%20work%20according%20to%20Microsoft.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167175%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167175%22%20slang%3D%22en-US%22%3EAny%20update%20on%20this%3F%20It's%20crazy%20that%20Microsoft's%20default%20browser%20for%20Windows%2010%20can%20SSO%20to%20Office%20365%20without%20being%20Azure%20AD%20joined!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96925%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96925%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20I%20had%20not.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENothing%20like%20inconsistent%20documentation%20(%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96914%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96914%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20you%20checked%20my%20original%20link%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F18725iC0BA5149CE2EDA97%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Edge.jpg%22%20title%3D%22Edge.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96907%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96907%22%20slang%3D%22en-US%22%3E%3CP%3EI%20must%20be%20blind%2C%20i'm%20not%20seeing%20any%20note%20about%20Edge%20support%20being%20removed.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDomain%20Joined%20devices%20can%20be%20Registered%20with%20Azure%20AD%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-azureadjoin-devices-group-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-azureadjoin-devices-group-policy%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96898%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96898%22%20slang%3D%22en-US%22%3E%3CP%3ERight%2C%20my%20clients%20are%20Domain%20Joined...so%20it%20does%20not%20work.%20It%20appears%20in%20a%20recent%20update%20they%20tried%20to%20make%20it%20work%2C%20but%2C%20as%20the%20note%20says%2C%20Edge%20support%20has%20been%20removed%20while%20they%20investigate.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96894%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96894%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F137%22%20target%3D%22_blank%22%3E%40Matthew%20McDermott%3C%2FA%3Eit%20should%20work%2C%20you%20need%20to%20be%20Azure%20AD%20Joined%2C%20which%20is%20different%20than%20domain%20joined.%3C%2FP%3E%3CP%3Etake%20a%20look%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-pass-through-authentication-current-limitations%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-pass-through-authentication-current-limitations%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96453%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96453%22%20slang%3D%22en-US%22%3EChristopher%2C%20You%20lost%20me%2C%20%22domain%20joined%20to%20Azure%22%3F%20I%20thought%20the%20machine%20needed%20to%20be%20domain%20joined%20to%20my%20on%20prem%20domain%3F%20Can%20you%20clarify%20your%20answer%3F%20The%20documentation%20currently%20states%20that%20it%20does%20not%20work%20as%20does%20our%20testing.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96352%22%20slang%3D%22en-US%22%3ERE%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96352%22%20slang%3D%22en-US%22%3EThis%20actually%20does%20work%2C%20but%20you%20have%20to%20have%20your%20machine%20domain%20joined%20to%20azure%20AD%20%3A(.%20But%20with%20their%20new%20sign%20on%20experience%2C%20no%20SSO%20works.....%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-644012%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-644012%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20want%20to%20leave%20a%20quick%20note%20for%20anyone%20looking%20at%20this%20thread%20and%20mistakenly%20thinks%20that%20the%20topic%20is%20applicable%20to%20Orgs%20that%20are%20using%20federated%20SSO%20with%20AD%20FS.%20SSO%20in%20Edge%20works%20for%20us%2C%20running%26nbsp%3BAD%20FS%20v.3%20on%202012R2.%20For%20a%20long%20time%20we%20thought%20that%20SSO%20was%20not%20supported%20with%20AD%20FS%20on%20Edge%2C%20especially%20when%20it%20failed%20after%20we%20added%20%22Edge%2F12%22%20to%20supported%20UA%20strings.%20Finally%2C%20after%20adding%20%22Mozilla%2F5.0%22%2C%20the%20SSO%20for%20both%20Edge%20and%20Chrome%20started%20to%20work.%20This%20was%20a%20major%20improvement%20as%20our%20users%20were%20previously%20stuck%20with%20IE%20and%20its%20horrific%20SharePoint%20performance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1112566%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Support%20for%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1112566%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F137%22%20target%3D%22_blank%22%3E%40Matthew%20McDermott%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20it%20seems%20that%20this%20is%20finally%20supported%20as%20of%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fcommit%2F503443e283e6a60608cebd1415c096c86b9e08aa%3Fshort_path%3D552ab66%23diff-552ab6617bd7763b6c011a5b2c4f57c4%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAug%2013%202019%3C%2FA%3E.%3C%2FP%3E%3CP%3ESo%20now%20it%20says%20it%20is%20supported%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-sso%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%20and%20it%20also%20says%20(as%20I%20saw%20mentioned%20in%20this%20discussion%20earlier)%20that%20%22Seamless%20SSO%20needs%20the%20user's%20device%20to%20be%20domain-joined%2C%20but%20%3CSTRONG%3Edoesn't%20need%20for%20the%20device%20to%20be%20Azure%20AD%20Joined.%3C%2FSTRONG%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20irony%20is%20that%20I%20found%20this%20information%20today%2C%20the%20day%20after%20%3CA%20href%3D%22https%3A%2F%2Fblogs.windows.com%2Fwindowsexperience%2F2020%2F01%2F15%2Fnew-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEdge%20Chromium%3C%2FA%3E%20was%20GA%20released.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Matthew McDermott
MVP

Is any work being done to suport Office 365 Passthrough Authentication SSO with Edge? It is still not supported while Chrome, IE and Firefox are. This is a bummer for Orgs deploying Win10.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

17 Replies
Highlighted
This actually does work, but you have to have your machine domain joined to azure AD :(. But with their new sign on experience, no SSO works.....
Highlighted
Christopher, You lost me, "domain joined to Azure"? I thought the machine needed to be domain joined to my on prem domain? Can you clarify your answer? The documentation currently states that it does not work as does our testing.
Highlighted

@Matthew McDermottit should work, you need to be Azure AD Joined, which is different than domain joined.

take a look https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-thr...

Highlighted

Right, my clients are Domain Joined...so it does not work. It appears in a recent update they tried to make it work, but, as the note says, Edge support has been removed while they investigate.

Highlighted

I must be blind, i'm not seeing any note about Edge support being removed. 

 

Domain Joined devices can be Registered with Azure AD, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-devices-group-p...

Highlighted

Have you checked my original linkEdge.jpg

Highlighted

Thanks, I had not. 

 

Nothing like inconsistent documentation (:

 

Highlighted
Any update on this? It's crazy that Microsoft's default browser for Windows 10 can SSO to Office 365 without being Azure AD joined!
Highlighted

It appears to be working for me. I have AD Connect with SSO configured on an on-premise AD server (2012R2) and that is syncing with an Office 365 tenancy (Education). I have a Win10 Education (1709) virtual machine (VM) which is joined AND registered in the Azure AD of the Office 365 tenancy via AD Connect. The join appears to take place once the Win10 VM has joined the local AD domain, made some sort of connection (or attempted) to an Office 365 login URL, and an AD Connect sync cycle has run. No particular user needs to be logged in to the Win10 VM for that to happen. Registration appears to happen once the Win10 VM has made some sort of connection (or attempted) to an Office 365 login URL while a domain user is logged in that is having their account synced with Azure AD via AD Connect, and an AD Connect sync cycle has run. DSRegCmd.exe is a useful command to run on the Win10 client to check if join and registration is successful, besides seeing what has appeared in your Devices area in the Azure AD admin console. WamDefaultSet=Yes seems to be the value you need to see via DsRegCmd to know that registration is successful.

 

Once the Win10 client has registered successfully, I am finding that opening Edge and going to portal.office.com results in that user being signed in without the need to enter a username or password. I also see that the account is shown in the settings area in Edge. And once the registration has been successful for the Win10 client, any subsequent user logging on to that computer will also experience this Seamless Single Sign-on to Office 365, using Edge or IE. Chrome seems to always prompt for a username.

 

I'd be interested to know if anyone else is getting this to work, as my testing is fairly limited: a single tenancy and local AD, a couple of Win10 VMs and a few users. And I know it shouldn't work according to Microsoft. 

Highlighted

Yours works because you have registered your workstations with Azure and your using ad connect not Azure AD Connect. They are two different software products.

Highlighted

Believe or not believe, still Microsoft did not solve this issue? Is from last year. I was interested in implement Seamless SSO but is not support Edge this is a problem.

Highlighted

no edge is not yet supported.

 

The first time you launch edge, it ask for login and password. For next time, maybe, edge can remeber but it is not supported like IE

Highlighted

Just confirming that for me at least, if the device is Azure AD Registered, you get SSO with Edge. If not, it will ask for password. I've also experienced that the device was Azure AD Registered but still no SSO and when starting Outlook it wanted me to confirm the Azure AD Registration so it could be that it suddenly lost the registration and therefore not giving SSO because once confirming the registration I got SSO again.

 

I also assume that Hybrid Azure AD joined will give an SSO experience with Edge. I will try this and report back here.

 

But of course, best would be to also let Edge have SSO support. Don't know what is taking... Even though we see most customers running hybrid with Azure AD Connect also have their devices Azure AD Registered or Hybrid Azure AD joined. Some problem for downlevel clients but we more or less say that you need Windows 10 for the best experience in Microsoft Cloud...

Highlighted

I find it incredible that its March 2019 and still no AAD Seamless SSO for Edge without having to have your Win 10 machine AAD joined!

 

Can anyone at Microsoft (or otherwise) shed any light on why this is the case?

 

Some further questions/comments:

 

- MS documentation talks about machines being AAD joined but also Hybrid AAD joined (where the win 10 machine is also AD joined).  I can't immediately tell if a win 10 machine that is already AD joined can then be AAD joined WITHOUT it them being considered to be "Hybrid AAD joined".  Hybrid AAD joined has some potential repercussions for us and it would be good to clearly understand if a machine can be AD and AAD joined simultaneously without it being Hybrid AAD joined (along with all the AAD Connect and computer object sync that goes with that concept).

 

- With respect to Edge moving to using the chromium engine:  Is there any hint that AAD Seamless SSO may make an appearance with that change, to match the fact that Chrome can undertake AAD Seamless SSO?  (something that seems "challenging" to MS for their own browser)

 

The lack of AAD Seamless SSO support for Edge is another nail in the coffin for Edge being considered by us as our default browser moving forward.....

 

Highlighted

It is the end of edge, so….

 

The best way is to deploy Firefox and use seamless SSO, i think

Just want to leave a quick note for anyone looking at this thread and mistakenly thinks that the topic is applicable to Orgs that are using federated SSO with AD FS. SSO in Edge works for us, running AD FS v.3 on 2012R2. For a long time we thought that SSO was not supported with AD FS on Edge, especially when it failed after we added "Edge/12" to supported UA strings. Finally, after adding "Mozilla/5.0", the SSO for both Edge and Chrome started to work. This was a major improvement as our users were previously stuck with IE and its horrific SharePoint performance.

Highlighted

@Matthew McDermott 

 

So it seems that this is finally supported as of Aug 13 2019.

So now it says it is supported in the documentation and it also says (as I saw mentioned in this discussion earlier) that "Seamless SSO needs the user's device to be domain-joined, but doesn't need for the device to be Azure AD Joined."

 

The irony is that I found this information today, the day after Edge Chromium was GA released.

Related Conversations