Issue Summary: Microsoft Edge SSO (Single Sign-On) functionality broken after upgrading from version 143 to 144+ in Azure Virtual Desktop environment using device-bound Microsoft Authenticator passkeys.
Environment:
- Azure Virtual Desktop (AVD) session hosts
- FSLogix profile containers for user profile management
- Authentication method: Device-bound Microsoft Authenticator passkeys
- SSO configured for Microsoft 365 and enterprise web applications (SharePoint, ServiceNow, etc.)
- Entra ID joined devices
Working Configuration:
- Microsoft Edge version 143.0.3650.139 and earlier
- User opens Edge and is automatically signed into their Edge profile via SSO
- Navigation to SharePoint, ServiceNow, and other Entra ID-protected resources works seamlessly without manual authentication prompts
Broken Configuration:
- Microsoft Edge version 144.0.3719.82 and later (including 145.0.3800.x)
- User opens Edge and is presented with a "Sign in to Microsoft" prompt instead of automatic SSO
- Edge profile does not automatically sign in
- Unexpected popup appears (e.g., adblock installation prompt), suggesting profile initialisation is not completing correctly
- SSO to Conditional Access-protected resources does not function
Troubleshooting Steps Taken:
- Version rollback testing:
- Rolled back Edge from 144 to 143.0.3650.139 - SSO functions correctly
- Upgraded from 143 directly to 145.0.3800.x - same broken behaviour as 144
- Confirmed this is a regression introduced in Edge 144
- Reviewed known issues:
- Identified known issue in Edge 144 release notes: "Starting in Microsoft Edge Stable version 144.0.3719.82, users who have not fully completed their Microsoft Entra ID sign-in for their Edge profile may be unable to access Conditional Access (CA) protected web resources, as Single Sign-on (SSO) will not function properly in this degraded sign-in state."
- Confirmed we are running version 144.0.3719.104 or later where this issue was reportedly fixed, however the fix does not resolve our scenario
- Environment specifics:
- This issue appears specific to the combination of Azure Virtual Desktop, FSLogix profile containers, and device-bound passkey authentication
- The passkey authentication method may not be satisfying Edge's new profile sign-in state validation introduced in version 144
Expected Behaviour: Edge should automatically sign in to the user's Entra ID profile using SSO/PRT (Primary Refresh Token) and allow seamless access to Conditional Access-protected resources, as it did in version 143 and earlier.
Actual Behaviour: Edge treats the profile as unsigned or in a degraded sign-in state, prompting manual authentication and breaking SSO to protected web resources.
Business Impact: Users are unable to seamlessly access enterprise web applications in our AVD environment, requiring manual authentication steps that were not previously necessary. We are currently holding Edge at version 143 to maintain functionality, which is not sustainable long-term.
Request: Please investigate whether Edge 144+ has introduced changes to profile sign-in state validation or Windows Authentication Manager integration that affect device-bound passkey authentication scenarios in Azure Virtual Desktop environments.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 16%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELG%3C/text%3E%3C/svg%3E)
