👷‍♂️
Work
  • 💻SNOW
    • Catalog Forms
    • Knowledge Base
  • ☁️Azure
    • Graph Permissions
    • App Registration Auths
      • Postman
      • Graph ROPC Federated Account
        • MSAL UsernamePasswordCredential
        • Java
        • Python
        • C#/VB code Auth
      • Powershell
      • Java Auth x EWS
      • Python Auth x Sharepoint
      • C# Auth x Sharepoint
    • MFA
    • Dynamic Group
    • AAD Device Pending
    • O365 Device Enrollment
    • AAD Device Troubleshoot
    • AAD Mobile Troubleshooting
    • ADO Service Principal
    • External B2B
    • VLSC Admin
    • PowerBI Session Timeout
    • SSO issues
  • 🔓OKTA
    • SVC Account
    • OKTA Integration
    • Access Issues
  • 👷‍♂️Workday
    • Account Lifecycle
    • Coupa
  • 📨O365
    • OOF of Distribution List
    • Mailbox Recovery
    • Mailbox Existence
  • 🦄Misc
    • Windows Terminal
    • Google Auth Export
    • MS Teams Issues
  • 🌥️Cloud Stuff
    • 🚀Benchmarking
      • Vultr
    • 💳Cloud Server
    • ♻️Email and Spams
  • 🔬Open Source
    • Pending
      • Matrix/Synapse
      • Huginn
      • ChangeDetection
    • Tested
      • Codex Docs
      • Ghost Blog
      • n8n Automation
Powered by GitBook
On this page
  1. Azure

SSO issues

PreviousPowerBI Session TimeoutNextSVC Account

Last updated 5 months ago

A potential workaround is to install the Microsoft Extension on Chrome, visit Sharepoint, click on the account you wish to log in with, close the browser, and then try visiting SharePoint directly – Here's the link to the extension: Microsoft Single Sign-On.

When the user tries to log in using Chrome, they are prompted to sign in, and SSO does not work as expected. However, if the user allows themselves to be redirected to the custom homepage set by local admins, OKTA completes the SSO process and allows them to sign in.

We validated that our organization's devices are Hybrid Entra Joined, and the PRT issued would be used for the SSO experience on Microsoft applications. We confirmed that Chrome, out of the box, does not support SSO or device-based claims for Microsoft applications.

To enable Chrome to support SSO or device-based claims needed for Conditional Access, the Microsoft Single Sign-On extension needs to be installed. You can review the following articles for more details:

  • Conditions in Conditional Access policy - Microsoft Entra ID | Microsoft Learn

  • Primary Refresh Token (PRT) and Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

We tested this, and after installing the Microsoft Single Sign-On extension, we found that the user was able to log in to SharePoint without being prompted to sign in.

☁️
2MB
login.microsoftonline.com.har
When logging in with normal account (OK)
2MB
svc_login.microsoftonline.com.har
When logging in with svc account (NG)
What happened to Chrome, but we do know it's managed by AD via GPO.
Why PRT is not passed from Chrome to Microsoft