This week is a bit of a follow-up on a post of about two years ago and is mainly focussed on creating some awareness. That post was specifically about enabling web sign-in to Windows for usage with Temporary Access Pass. That web sign-in functionality provides a web-based sign-in experience on Microsoft Entra joined devices. At that time, that web-based sign-in experience was limited to Temporary Access Pass (TAP). Starting with Windows 11 version 22H2 with KB5030310 and later, that has changed. The supported scenarios and capabilities of web sign-in are now expanded. Besides TAP, it can now also be used for a passwordless sign-in experience with the Microsoft Authenticator app, a seamless Windows Hello for Business PIN reset experience, and even a federated identity with a third-party SAML-P identity provider. This post will provide a quick reminder about the required configuration for enabling web sign-in as credential provider, followed with a brief look at the main newly supported experiences.
Important: Web sign-in is only supported on Microsoft Entra joined devices.
Enabling web sign-in as credential provider
When looking at enabling web sign-in as credential provider on Windows 11, there’s not much changed compared to a few years ago. The configuration can be achieved by using the policy setting Enable Web Sign In policy setting that is part of the Authentication node in the Policy CSP. That policy setting provides organizations with the ability to add the web sign-in credential provider on Microsoft Entra joined devices. Luckily, that setting is directly available via the Settings Catalog. The following eight steps walk through the creation of a Settings Catalog profile that contains the required setting.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create > New Policy
- On the Create a profile blade, provide the following information and click Create
- Platform: Select Windows 10 and later to create a profile for Windows 10 devices
- Profile: Select Settings catalog to select the required setting from the catalog
- On the Basics page, provide the following information and click Next
- Name: Provide a name for the profile to distinguish it from other similar profiles
- Description: (Optional) Provide a description for the profile to further differentiate profiles
- Platform: (Greyed out) Windows 10 and later
- On the Configuration settings page, as shown below in Figure 1, perform the following actions
- Click Add settings and perform the following in Settings picker
- Select Authentication as category
- Select Enable Web Sign In as setting
- Select Enabled. Web Sign-in will be enabled for signing in to Windows with Enable Web Sign In and click Next
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment and click Next
- On the Review + create page, verify the configuration and click Create
Note: Web sign-in is also recommended in combination with enabling the passwordless experience. More information around that experience can be found in this post: Easily hiding the ability to use passwords for signing into Windows.
Experiencing web sign-in as credential provider
This post can only end by showing the new experience on Windows 11. And most of the experiences are relatively easy to show, with the exception of the federated identity experience. It all starts with the availability of the web sign-in credential provider. That can easily identified by looking at the Windows sign-in screen. It should show the globe icon as shown below in Figure 2. The first experience to show, would be the more seamless self service PIN reset experience, as briefly shown below in Figure 3 (it can be recognized by the still old-school non-curved corners). This experience can be triggered by clicking on I forgot my PIN (and self-service PIN reset is configured). After signing in with the Microsoft Authenticator app, the PIN reset procedure will start within that same window. So, a much more seamless and user-friendly experience, compared to the early days of PIN reset.
Another interesting new experience is the passwordless sign-in experience with the Microsoft Authenticator app that is shown below in Figure 4. That experience can be triggered by actually using the web sign-in credential provider (and the Microsoft Authentication app is configured as an authentication method). In that case the user will get on a similar window as before, just with fancy round corners. After signing in with the Microsoft Authenticator app, the user can work on the device. Besides that, the already existing experience with the Temporary Access Pass (TAP) is still available, as shown below in Figure 5. That experience can also be triggered by using the web sign-in credential provider. The main difference is that a TAP must be available for the user. In that case, the correct flow will automatically be started.
Important: Keep in mind that web sign-in requires an active Internet connection.
Note: This behavior was successfully tested on Windows 11 version 22H2 and Windows 11 version 23H2.
More information
For more information about the web sign-in credential provider on Windows 11, refer to the following docs.
Any chance this will ever support HAJ devices?
I really don’t know, Jason…
Regards, Peter
You have great website Peto, a go to resource if using Intune .
When using this policy, We are unable to get Elevated Permissions prompts to work when the logged on user is not an admin. The secure desktop does not allow entering username or password or do anything to supply credentials. How have you got past this please?
Thank you, Mark. Can you provide some more details? Are you only using this specific setting, or in combination with something else?
Regards, Peter
We are using with the ‘Local Policies Security Options’ of ‘Administrator elevation prompt behavior’ & ‘Standard user elevation prompt behavior’ set to ‘Prompt for Credentials on the secure desktop’
Users are standard users and not administrators of their devices.
Could it be that you’re also automatically denying elevation requests for standard users?
Regards, Peter
We are using the Microsoft Security baseline ands just changing the 2 settings as described above. I don’t think we are denying requests for elevation of standard users, I will go and have another look through the policy
I have looked through the ‘MS Security Baseline – Nov 2021’ settings and can’t see that we are denying user account elevation requests. Would it help if I recording a video to show whats happening?
Hi Mark,
You can always share the recording. Is the behavior only with this setting? And when you remove this setting, it works again?
Regards, Peter
So I have found the MS document that covers what we are seeing
https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-experience/
Under ‘Example of UAC elevation experience:’
Then under the ‘recommendations’ section we get
“To facilitate helpdesk support operations, consider enabling the local administrator account or create a separate one, randomizing its password using the Windows Local Administrator Password Solution (LAPS)”
At the moment Passwordless is no good for us as we don’t use LAPS and can’t therefore support our users.
Thank you for sharing, Mark. I was under the impression that it was related to web sign-in, but do I understand it correctly that you also enabled the passwordless experience?
Regards, Peter
Hi Peter. Yes its the passwordless experience setting that causes the problem. Web sign-in is still enabled in my set-up and this works fine.
Regards, Mark
Ah, thank you for that Mark. That explains a lot for me 🙂
Regards, Peter
Hi Peter, thank you for yet another fantastic article. I’m trying to support a scenario where I can completely remove the password credential provider but have the web sign in provider available for Azure AD device admin users, as well as TAP sign ins.
The problem I’m facing on Windows 11 23H2 with latest CU is that when I attempt to do a web sign in with a privileged account, it accepts the username/password/MFA challange and commences sign in, but immediately boots me back to the log on screen.
Just wondering if you’ve tested privileged accounts with it to see whether I’m facing a known issue or a unique issue on my side. Regular TAP sign ins work as expected.
Hi Mitch,
What do you mean with a privileged account? A local administrator, or more?
Regards, Peter
The problem we’re having is that this new Web Sign-In featureset allow for password only (and passwordless with phone sign-in) logon to Windows.
It doesn’t seem to go through conditional access, so there is no option to configuration authentication strength.
And indeed regular TAP works, but without a TAP configured for the user, the user has the option to logon with only its password.
We can’t use TAP for enrollment and windows hello for business with multi-factor unlock anymore (and removing password credential provider), because the user still has the option for single factor logon with its password.
Hi JJ,
I understand the challenge with web sign-in. Can you provide some more details about what you’re trying to achieve?
Regards, Peter
Hi Peter,
Thanks, yes certainly.
In our setup, created back in 2021/2022, we created a more or less full multi-factor setup, therefore we
– Disabled the password credential provider
– Enabled/Forced Windows Hello for Business with Multi-Factor Unlock
– Enabled Web Sign-In
– Enabled TAP for enrollment and support
– Enabled FIDO2 for support (IT staff)
But since these Web Sign-In feature changes at the end of last year for Windows 11, version 22H2 with KB5030310 and 23H2 and later; Users are now able to just login with a password when using Web Sign-In if there is no TAP configured. Passwordless (Phone Sign-In) also seems an option if configured and registered, but there’s still an escape to use password-only.
We can’t find a way to just enable TAP for Web Sign-In and disable the new passwordless/password-only option. Web Sign-In also doesn’t seem to hit condition access, so we’re not able to force MFA or Authentication Strength.
We’ve logged a ticket with Microsoft Support, last week but for now we’re considering disabling Web Sign-In and going back to disabling the password credential provider through proactive remediation after succesfull registration/use of windows hello (though some customers only have business premium, we could use task scheduler). Checking the registry for:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
– LastLoggedOnProvider
– SecondFactorLoggedOnProvider
PS. Your articles on the subject were very helpful these past years!
Thanks
Thank you for the details, JJ!
And what about the company policy? Is MFA required for the actual Windows login? And if so, what is considered as MFA?
Regards, Peter
I’m failry certain our web sign-in’s are hitting conditional access because we have designed our conditional access policies to apply rules to every different method/approach/location.
Hello! I’m trying to test web signin on one of my w11 23h2 hyper-v vm and its failing. I see the option and can enter my user and password – then it loooks for splitsecond as if it tries to load the authenticator screen but then defaults to an empty white screen with the microsoft logo. After a timeout I am returned to the lockscreen.
In my signin logs in entra I can see an entry with: Microsoft Authentication Broker = Interrupted
Any idea whats preventing this from working?
Hi Simon,
Are the authentication methods available for the user.
Regards, Peter
Hey Peter! Do you happen to know which GUID correlates to Web Sign-in so we could set this to be the default credential provider for subset of devices?
Hi Jonathan,
If I’m not mistaken, you’ve got to look for the Cloud Experience Credential Provider.
Regards, Peter