Share via

Conditional Access SSO blocked from edge on shared PC

Jonathan Amar 0 Reputation points
2023-04-17T14:42:45.2+00:00

Hello everyone!
I have a weird issue that I am trying to work around.
Our Conditional Access Policy requires SSO to be done from a compliant device.
We have a shared computer (local user) accessed by a few users daily, and I'm trying to make it so they can all use an SSO website.
The issue is that Edge requires them to have a profile signed in, so it will allow for SSO, and that would mean I need to enable multiple concurrent browser profiles to be signed in at all times that they can switch between, and that is a security nightmare. I tried excluding that computer from the policy, but because Edge isn't signed in, it doesn't transfer the device details in the login, so it doesn't exclude that request from the conditional access, and it fails.
Am I missing something when it comes to exclusions?
And if not, is there any way to make it so that switching profiles in Edge prompts for a password or MFA or something of the sort?
Any help would be appreciated,
Kind Regards, Jonathan

Microsoft Edge
Microsoft Edge
A Microsoft cross-platform web browser that provides privacy, learning, and accessibility tools.
2,238 questions
Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
661 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ShiJieLi-MSFT 8,731 Reputation points Microsoft Vendor
    2023-04-18T08:50:10.3533333+00:00

    Hi @Jonathan Amar ,

    As to excluding devices, you can check this doc for more information.

    From the browser side, unfortunately there's no such policy/settings to prompt for authentication when users switch profiles. A better (or ideal) implementation of this, IMO, could be having separate user accounts on the OS level, each account having a single Edge profile accordingly.

    EDIT:

    There's group policy called ForceEphemeralProfiles which controls whether user profiles are switched to ephemeral mode. An ephemeral profile is created when a session begins, is deleted when the session ends, and is associated with the user's original profile. The ephemeral mode may meet your requirements, and you can have a try.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best Regards,

    Shijie Li

    0 comments