cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Device Compliance, SSSO on shared user machine

JordanGibbs
Copper Contributor

‎Apr 26 2023 04:38 AM

‎Apr 26 2023 04:38 AM

Device Compliance, SSSO on shared user machine

Hello

 

I am investigating and trying to impliment my companies Device Compliance & Conditional Access policies onto multi-user ( shared user account ) machines, in an Hybrid Azure environment with Seamless SSO enabled

 

To describe the setup in a short summary, we have Conditional Access setup so users can access company resources ONLY when they are connecting from a Compliant device. The compliancy rules are that it is enrolled / is an active user / AntiVirus is up to date and a couple of others that aren't important.

 

For users that have their own dedicated machine this works correctly, they log into the device and can access Outlook , One Drive etc fine . They sign into Edge and syncs using their AD account and the Device ID is passed through so they can access everything online too.

 

However, for these 'Shared' machines I can't seem to get the configuration correct. These are configured by having a main Windows log in ( with E3 and EMS license ) then 3 or 4 users with P1 licenses can go to the web to access emails and sharepoint.

 

I have tried multiple configuration policies in an attempt to get the Shared user account to be compliant, which allows the multiple P1 users to sign into Office 365 on the web.

 

My main stumbling blocks are :

 

1 . Without EDGE being signed in, the DEVICE ID is not passed through when users try to access office.com ( for example ) resulting in the device not being compliant and users not being able to access resources.

 

2. When EDGE is signed in as the WINDOWS user, EDGE automatically signs into everything office related ( due to SSSO ) which results in horrible end user experience, by having to switch user and problems with which user account is actually signed in and 'live'.

 

3. I also can't seem to find any information on how to raise a ticket with Microsoft regarding this ( without going through our reseller ) There used to be a ' One Off' critical case support ticket that could be purchased but I can't find information about this.

 

In an ideal situation, for these multi user machines Edge should sync using the windows account but then no SSSO connection is made, so Outlook.office.com / sharepoint etc will always prompt for login credentials.

 

Thank You in advance and sorry if this is in the wrong place

625 Views
0 Likes
0 Replies
Reply
0 Replies