{"id":150,"date":"2023-05-16T10:37:29","date_gmt":"2023-05-16T02:37:29","guid":{"rendered":"https:\/\/www.ruianding.com\/blog\/?p=150"},"modified":"2023-08-31T01:50:26","modified_gmt":"2023-08-30T17:50:26","slug":"configuration-of-browsers-to-allow-ms-account-sso","status":"publish","type":"post","link":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/","title":{"rendered":"Configuration of Mainstream Browsers to Allow AAD SSO"},"content":{"rendered":"\n

Overview<\/h2>\n\n\n\n

When we configure the Device Based Conditional Access Policies<\/strong> (e.g. Devices that required Hybrid Azure AD Join to access certain online resources), device registration is a definitely a necessary prerequisite. However, we still need to successfully obtain the other factor called Azure AD Primary Refresh Token (Azure AD PRT)<\/a><\/strong>. Only after the Azure AD PRT (which contains device information) is successfully obtained by the device, we can ensure that the device based conditional access policies can be successfully passed.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Browsers are used when we visit some web resources, but not all browsers support reading the Azure AD PRT by default. The following is the configuration of the three mainstream browsers to read Azure AD PRT.<\/strong><\/p>\n\n\n\n

The full supported browser list could be found on this documentation: Conditions in Conditional Access policy – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\n\n\n\n

1. Configuration of Mainstream Browsers<\/h2>\n\n\n\n

1.1 Microsoft Edge<\/h3>\n\n\n\n

Generally, after the device was successfully registered to Azure AD, it will be automatically sign-in the Edge.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

As above, if there is no signed-in user, we cannot pass the Device Based Conditional Access Policies (Not specify the logon user’s Azure AD PRT). We can click Sign in to sync data<\/strong> to do a login process.<\/p>\n\n\n\n

This documentation explained why we need a sign-in the profile in order to let the Edge read the PRT:<\/p>\n\n\n\n

Microsoft Edge and Conditional Access | Microsoft Learn<\/a><\/p>\n\n\n\n

1.2 Google Chrome<\/h3>\n\n\n\n

1.2.1 Installation<\/strong><\/h4>\n\n\n\n

We need to install an extension called Windows Accounts<\/strong>.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Google Chrome can also support Incognito Window SSO, after enable the below settings (Only Google Chrome with Windows Accounts Extension)<\/strong>.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Notes: The reason why Windows account extension can be used in Incognito mode is due to Google itself having a setting that allows loading extensions in Incognito mode.<\/p>\n\n\n\n

1.2.2 Deep Dive<\/strong><\/h4>\n\n\n\n

You may have noticed that the full list of supported browsers does not include Windows Server 2016. This is because the SSO extension is only compatible with Windows 10 Creators Update (version 1703) or later operating systems.<\/p>\n\n\n\n

The reason for this limitation is that SSO requires a built-in executable file called BrowserCore.exe, which serves as the communication link between Chrome and the SSO artifact. If BrowserCore.exe is not running or Chrome is unable to establish contact with it, SSO and CA (Conditional Access) will not function properly.<\/p>\n\n\n\n

Depending on the Windows version, BrowserCore.exe can be found in either of the following locations:<\/p>\n\n\n\n

    \n
  1. C:\\Program Files\\Windows Security\\BrowserCore\\<\/li>\n\n\n\n
  2. C:\\Windows\\BrowserCore\\<\/li>\n<\/ol>\n\n\n\n

    Therefore, in the case of Windows Server 2016, SSO via Chrome and the SSO extension is not supported since the necessary BrowserCore.exe is not embedded in the system image.<\/p>\n\n\n\n

    1.3 Mozilla Firefox<\/strong><\/h3>\n\n\n\n

    We can go to Settings<\/strong> > Privacy & Security<\/strong> > Enable Allow Windows SSO for Microsoft, work, and school accounts<\/strong> to allow Firefox to read the Azure AD PRT.<\/p>\n\n\n\n

    \"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

    Overview When we configure the Device Based Conditional Access Policies (e.g. Devices that required Hybrid Azure AD Join to access certain online resources), device registration is a definitely a necessary prerequisite. However, we still need to successfully obtain the other factor called Azure AD Primary Refresh Token (Azure AD PRT). Only after the Azure AD PRT (which contains […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[31,36,10,40],"tags":[6],"class_list":["post-150","post","type-post","status-publish","format-standard","hentry","category-azuretopics","category-drs","category-tutorial","category-drs-windows","tag-drs"],"yoast_head":"\nConfiguration of Mainstream Browsers to Allow AAD SSO - \u6781\u7b80IT\uff5cSimpleIT<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Configuration of Mainstream Browsers to Allow AAD SSO - \u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"og:description\" content=\"Overview When we configure the Device Based Conditional Access Policies (e.g. Devices that required Hybrid Azure AD Join to access certain online resources), device registration is a definitely a necessary prerequisite. However, we still need to successfully obtain the other factor called Azure AD Primary Refresh Token (Azure AD PRT). Only after the Azure AD PRT (which contains […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/\" \/>\n<meta property=\"og:site_name\" content=\"\u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-16T02:37:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-30T17:50:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-44.png\" \/>\n<meta name=\"author\" content=\"Ruian Ding\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ruian Ding\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/\"},\"author\":{\"name\":\"Ruian Ding\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"headline\":\"Configuration of Mainstream Browsers to Allow AAD SSO\",\"datePublished\":\"2023-05-16T02:37:29+00:00\",\"dateModified\":\"2023-08-30T17:50:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/\"},\"wordCount\":481,\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-44.png\",\"keywords\":[\"DRS\"],\"articleSection\":[\"Azure Topics\",\"DRS\",\"Tutorial\",\"Windows\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/\",\"name\":\"Configuration of Mainstream Browsers to Allow AAD SSO - \u6781\u7b80IT\uff5cSimpleIT\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-44.png\",\"datePublished\":\"2023-05-16T02:37:29+00:00\",\"dateModified\":\"2023-08-30T17:50:26+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#primaryimage\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-44.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-44.png\",\"width\":760,\"height\":351},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ruianding.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Configuration of Mainstream Browsers to Allow AAD SSO\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\",\"url\":\"https:\/\/www.ruianding.com\/blog\/\",\"name\":\"Ruian's Tech Troubleshooting Toolbox\",\"description\":\"Debug the World.\",\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"alternateName\":\"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\",\"name\":\"Ruian Ding\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"width\":284,\"height\":284,\"caption\":\"Ruian Ding\"},\"logo\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\"},\"description\":\"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.\",\"sameAs\":[\"https:\/\/www.ruianding.com\"],\"url\":\"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Configuration of Mainstream Browsers to Allow AAD SSO - \u6781\u7b80IT\uff5cSimpleIT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/","og_locale":"en_US","og_type":"article","og_title":"Configuration of Mainstream Browsers to Allow AAD SSO - \u6781\u7b80IT\uff5cSimpleIT","og_description":"Overview When we configure the Device Based Conditional Access Policies (e.g. Devices that required Hybrid Azure AD Join to access certain online resources), device registration is a definitely a necessary prerequisite. However, we still need to successfully obtain the other factor called Azure AD Primary Refresh Token (Azure AD PRT). Only after the Azure AD PRT (which contains […]","og_url":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/","og_site_name":"\u6781\u7b80IT\uff5cSimpleIT","article_published_time":"2023-05-16T02:37:29+00:00","article_modified_time":"2023-08-30T17:50:26+00:00","og_image":[{"url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-44.png","type":"","width":"","height":""}],"author":"Ruian Ding","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ruian Ding","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#article","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/"},"author":{"name":"Ruian Ding","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"headline":"Configuration of Mainstream Browsers to Allow AAD SSO","datePublished":"2023-05-16T02:37:29+00:00","dateModified":"2023-08-30T17:50:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/"},"wordCount":481,"publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-44.png","keywords":["DRS"],"articleSection":["Azure Topics","DRS","Tutorial","Windows"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/","url":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/","name":"Configuration of Mainstream Browsers to Allow AAD SSO - \u6781\u7b80IT\uff5cSimpleIT","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#primaryimage"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-44.png","datePublished":"2023-05-16T02:37:29+00:00","dateModified":"2023-08-30T17:50:26+00:00","breadcrumb":{"@id":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#primaryimage","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-44.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-44.png","width":760,"height":351},{"@type":"BreadcrumbList","@id":"https:\/\/www.ruianding.com\/blog\/configuration-of-browsers-to-allow-ms-account-sso\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ruianding.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Configuration of Mainstream Browsers to Allow AAD SSO"}]},{"@type":"WebSite","@id":"https:\/\/www.ruianding.com\/blog\/#website","url":"https:\/\/www.ruianding.com\/blog\/","name":"Ruian's Tech Troubleshooting Toolbox","description":"Debug the World.","publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"alternateName":"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b","name":"Ruian Ding","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","width":284,"height":284,"caption":"Ruian Ding"},"logo":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/"},"description":"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.","sameAs":["https:\/\/www.ruianding.com"],"url":"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/comments?post=150"}],"version-history":[{"count":8,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/150\/revisions"}],"predecessor-version":[{"id":931,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/150\/revisions\/931"}],"wp:attachment":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/media?parent=150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/categories?post=150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/tags?post=150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}