Configure federated sign-in for Windows 11 SE

  • Article
  • 4 minutes to read
  • Applies to:
    Windows 11 SE

Starting in Windows 11 SE, version 22H2, you can enable your users to sign-in using a SAML 2.0 identity provider (IdP). This feature is called federated sign-in. Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Azure AD, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.

Benefits of federated sign-in

Federated sign-in enables students to sign-in in less time, and with less friction. With fewer credentials to remember and a simplified sign-in process, students are more engaged and focused on learning.

Important

Currently, this feature is designed for 1:1 devices. For an optimal experience, you should not enable federated sign-in on shared devices.

Prerequisites

To implement federated sign-in, the following prerequisites must be met:

  1. An Azure AD tenant, with one or multiple domains federated to a third-party SAML 2.0 IdP. For more information, see Use a SAML 2.0 Identity Provider (IdP) for Single Sign On

    Note

    If your organization uses a third-party federation solution, you can configure single sign-on to Azure Active Directory if the solution is compatible with Azure Active Directory. For questions regarding compatibility, contact your identity provider. If you're an IdP, and would like to validate your solution for interoperability, refer to these guidelines.

    For a step-by-step guide on how to configure Google Workspace as an identity provider for Azure AD, see Configure federation between Google Workspace and Azure AD.

  2. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
  3. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
  4. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see Assign licenses to users by group membership in Azure Active Directory
  5. Enable federated sign-in on the Windows devices that the users will be using

    Important

    This feature is exclusively available for Windows 11 SE, version 22H2.

To use federated sign-in, the devices must have Internet access. This feature won't work without it, as the authentication is done over the Internet.

Enable federated sign-in on devices

To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies, which can be configured using Microsoft Intune.

To configure devices with Microsoft Intune, use a custom policy:

  1. Go to the Microsoft Endpoint Manager admin center
  2. Select Devices > Configuration profiles > Create profile
  3. Select Platform > Windows 10 and later and Profile type > Templates > Custom
  4. Select Create
  5. Specify a Name and, optionally, a Description > Next
  6. Add the following settings:
Setting
  • OMA-URI: ./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser
  • Data type: Integer
  • Value: 1
    		•
  • OMA-URI: ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
  • Data type: String
  • Value: Semicolon separated list of domains, for example: samlidp.clever.com;clever.com;mobile-redirector.clever.com
    		•
  • OMA-URI: ./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment
  • Data type: Integer
  • Value: 1
    		•
  • OMA-URI: ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames
  • Data type: String
  • Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: clever.com
    		•

    Custom policy showing the settings to be configured to enable federated sign-in

    1. Select Next
    2. Assign the policy to a security group that contains as members the devices or users that you want to configure > Next
    3. Under Applicability Rules, select Next
    4. Review the policy configuration and select Create

    For more information about how to create custom settings using Intune, see Use custom settings for Windows devices in Intune.

    How to use federated sign-in

    Once the devices are configured, a new sign-in experience becomes available.

    As the end users enter their username, they'll be redirected to the identity provider sign-in page. Once users are authenticated by the IdP, they'll be signed-in. In the following animation, you can see how the first sign-in process works:

    Windows 11 SE sign-in using federated sign-in through Clever and QR code badge.

    Important

    Once the policy is enabled, the first user to sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen.

    Important considerations

    Federated sign-in doesn't work on devices that have the following settings enabled:

    • EnableSharedPCMode, which is part of the SharedPC CSP
    • Interactive logon: do not display last signed in, which is a security policy part of the Policy CSP
    • Take a Test, since it leverages the security policy above

    Troubleshooting

    • The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen
    • Select the Other User button, and the standard username/password credentials are available to log into the device