On a non-managed mobile, how do I enforce MFA on an SSO sign in on iOS without requiring Edge as the browser as part of the sign in journey

Question

On a non-managed mobile, how do I enforce MFA on an SSO sign in on iOS without requiring Edge as the browser as part of the sign in journey

Paul Hart 20

Many users run into a problem signing into apps with SSO enabled on iOS, where they are shown the message "You can't get in from there" and it forces the user to 'Launch in Edge' to complete the sign in journey. We have MFA enforced, as well as MAM policies via Intune to access apps on mobile. With apps such as DataDog, FreshService and others, you go to Edge but it will never return to the iOS app to complete signing in. In the app, it is sitting on the in built browser (Safari) window still displaying the same message, which makes signing in impossible. Setting the default browser as Edge does not change, a workaround for FreshService is to copy and paste the sign in URL from the browser window that appears within the app during sign in and paste this into Edge to complete the process. This does not work for many other apps. Is there a way to not require Edge to complete MFA?

Paul Hart 20 Reputation points

2024-02-16T13:08:42.6566667+00:00

Hi @Wenying Lu-MSFT , Thanks, this article is helpful. I believe it will be a misconfiguration, or no set configuration within the apps themselves as some work, for example Slack and Miro. It only seems to be a handful of third party apps where this issue occurs. Appreciate your insight on this.
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2024-02-23T06:46:54.8733333+00:00

@Paul Hart
I am following up to see if you were able to follow the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer". This will help us and others in the community as well. Thanks, Akshay Kaushik
Paul Hart 20 Reputation points

2024-02-26T13:28:15.9533333+00:00

I found that it was a conditional access policy, it is the 'Require app protection policy' enforcing Edge as part of the MFA journey on mobile apps. A workaround is to exclude the relevant enterprise app from that policy. MFA remains enforced, and the sign in journey does not go to Edge. I sent screen recordings to a couple of different non-Microsoft app developers showing the problem, they stated that they have added this to their list of problems to solve.

Accepted answer

0 additional answers

Your answer

Paul Hart 20 Reputation points

2024-02-16T13:08:42.6566667+00:00

Hi @Wenying Lu-MSFT , Thanks, this article is helpful. I believe it will be a misconfiguration, or no set configuration within the apps themselves as some work, for example Slack and Miro. It only seems to be a handful of third party apps where this issue occurs. Appreciate your insight on this.
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2024-02-23T06:46:54.8733333+00:00

@Paul Hart
I am following up to see if you were able to follow the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer". This will help us and others in the community as well. Thanks, Akshay Kaushik
Paul Hart 20 Reputation points

2024-02-26T13:28:15.9533333+00:00

I found that it was a conditional access policy, it is the 'Require app protection policy' enforcing Edge as part of the MFA journey on mobile apps. A workaround is to exclude the relevant enterprise app from that policy. MFA remains enforced, and the sign in journey does not go to Edge. I sent screen recordings to a couple of different non-Microsoft app developers showing the problem, they stated that they have added this to their list of problems to solve.

Answer 1

Wenying Lu-MSFT 2,095 Microsoft External Staff

Hi @PaulHart-3528 ,
To narrow down the issue, please help check if there are some policies set default browser or enforce MFA for Edge browser. Also, you could refer to this doc and try to customize browsers for iOS.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Regards,
Wenying Lu

Paul Hart 20 Reputation points

2024-02-26T13:31:15.5233333+00:00

I found that it was a conditional access policy, the 'App Protection Policy' enforces Edge as a medium during the MFA journey. Excluding the enterprise apps where the problem occurs is a good work around, as MFA remains enforced but no need to go to Edge. I flagged this with the relevant third party app develops who acknowledged this was either a known issue or are now aware, therefore they are working on a fix in the meantime.

Share via

On a non-managed mobile, how do I enforce MFA on an SSO sign in on iOS without requiring Edge as the browser as part of the sign in journey

0 additional answers

Your answer