Sign in Subscribe

Configure Web Sign-in in Intune

Nicklas Olsen

5 min read
Configure Web Sign-in in Intune

Introduction

I wrote a blog post not too long ago about TAP and how it can be used together with Windows Autopilot. If you haven't read it yet, take a look here.

In that blog, I mentioned web sign-in a few times. However, I felt it deserved a dedicated blog, so here it is. I will cover what web sign-in is and how it behaves as a credential provider.

What is Web Sign-in?

Web sign-in is a credential provider on a device, just like a password and a PIN code. The big difference here, as you might notice when using Web sign-in, is that it will display the Office 365 sign-in page at a normal Windows login.

If you are starting to use TAP in your organization with Autopilot, configuring web sign-in is a requirement.

However, web sign-in comes with limitations, which we will look at later on in this blog.

Configuration

Web sign-in can be configured from the Intune portal with a configuration profile. It's fairly simple, so let's jump right into it.

  1. Head to the Intune portal and navigate to the devices tab. In the devices tab, click the configuration page.
  1. Click create and create a new policy. Make sure to select Windows 10 and later as platform, and as the profile type, we will select the settings catalog.
  1. Name your profile, and click next. Click add settings, and search for "Enable Web Sign In".
  2. Make sure to change the policy to "Enabled. Web sign-in will be enabled for signing in to Windows".
💡
When a new user signs in to a device for the first time, and are using web sign-in as a sign-in method, web sign-in will be the default method for signing in, if there hasn't been configured a default credential provider.
  1. Now, we are close to finished. I want to configure the last setting before we finish up. Click add settings, and search for "Preferred Aad Tenant Domain Name".

With the preferred AAD tenant domain name policy, we can guide the user through the login experience. Instead of the default web sign-in experience:

We can configure the experience to show our preferred domain at login, so it will look like this:

  1. Let's get back to the configuration. Specify the domain you want to be preferred at sign-in. In my case, I want it to be learnintune.net.
💡
You can only configure the preferred domain name, to a domain that are available in your tenant.
  1. Click next in Intune, and assign your profile. Last but not least, remember to create it 😎

End-user Experience

Let's enjoy a cup of coffee while our policies are being applied to our test devices! A cup of coffee later, I can now see that our policies have been applied.

I can see that my preferred domain name is visible, and I have the option to sign in to another domain.

I will click sign-in to Learnintune.net, and I can now see the company branding visible.

I will sign in with my user's email and password, and from here I will be logged in to the device, just like I would with a standard password or PIN.

You are probably thinking, what will happen if I use a domain that isn't connected to my tenant? Am I allowed to login to the device with web sign-in? The short answer is no!

When trying to use the method "sign-in to another domain" and signing in with a domain that isn't connected to your tenant, it will give you this message.

Where Are the Policies Applied?

You can find the web sign-in policies in the registry on the device. Specifically under the policy manager and providers. From here, would you need to know the GUID.

You can find the GUID on the path below; it's the name of the folder under DMClient.

C:\ProgramData\Microsoft\DMClient

Paste the GUID in your registry path, and unfold the default and last but not least device. There is a folder named "Authentication" where you can see your policies.

Limitations

There are some limitations when using web sign-in, so I wouldn't recommend using only web sign-in as your login method. My recommendation would be to use it in combination with Windows Hello for Business.

  • If you are using web sign-in as the login method, when a user first logins on a device, the credentials won't be cached on the device. In other words, the user cannot be seen on the login screen.
  • It isn't possible to use Web sign-in when you don't have a network connection. It simply won't allow you to log in. When you try to sign in, it will give you this message.
0:00
/0:05

Conclusion

Thanks for reading this blog. I hope it gave some valuable insights on how web sign-in works and some of the limitations.

If you are interested in seeing how web sign-in works together with TAP, take a look at the blog right here.

Sign up for more like this.

Enter your email
Subscribe