Starting with Firefox version 91, Mozilla is now supporting Single sign-on support (SSO) and device-based Conditional Access as announced by Microsoft in the What’s new in Azure Active Directory for August 2021. The feature is still in Public Preview from a Microsoft point of view, and considered Advanced and experimental from a Mozilla point of view.

I’ve already written about Browser restrictions and configuration when using Conditional Access on your modern workplace where I explained how Google Chrome must be configured in order to work with your Conditional Access policy, and now Mozilla Firefox can be added to the list of browsers.

For now the option must be enabled, this can be done by opening Firefox, going to the menu and by selecting settings, from there you can go to Privacy & Security and go to the Logins and Passwords section. From there you can enable the feature by selecting the checkbox in front of “Allow Windows single sign-on for Microsoft, work and school accounts”.

Configuring Firefox for Windows SSO

Within Azure AD sign-in logging we can now see that compliant and managed options are set to yes.

Azure AD sign-in logging

Configuring the settings from Microsoft Endpoint Manager

Since Mozilla is also providing ADMX files for configuring it’s browser, we can use this functionality to configure the “Allow Windows single sign-on for Microsoft, work and school accounts” setting using a custom Configuration Profile.

I will not go into too much detail on how you can use a custom ADMX file and leverage its settings in a Microsoft Endpoint Manager configuration profile. If you want to know more about that, I suggest that you read the following article from fellow-MVP Peter Klapwijk: Manage new ADMX Backed Windows 10 policies with Microsoft Intune and the Microsoft documentation “Win32 and Desktop Bridge app ADMX policy Ingestion

You can download the latest ADMX file for FireFox from the Mozilla Github page. Mozilla even has a Knowledge base article explaining how to ingest and set settings which you can find here: “Managing Firefox with Microsoft Endpoint Manager (Intune)“. The OMA0URI configuration string and possible values can be found under the WindowsSSO section of the Readme.md file.

Based on the information provided above we can create our custom configuration profile in Microsoft Endpoint Manager.

Create the custom Device Configuration Profile

Name: W10 – CP – Mozilla Firefox Configuration – v1.0 (or any other name you want to provide)

Profile type: Custom

OMA-URI settings:

Name FireFox ADMX Ingestion
Description FireFox ADMX Ingestion
OMA-URI ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx
Value (String) Copy the content of the firefox.admx file into the Value field
OMA-URI setting 1
Name Enable Windows SSO
Description Enable Windows SSO
OMA-URI ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/WindowsSSO
Value (String) <enabled/> <data id=”WindowsSSO” value=”1″/>
OMA-URI setting 2

After the Configuration profile is successfully applied, you will notice that in FireFox the option is grayed-out meaning that it cannot be changed by the user.

Setting set by Microsoft Endpoint Manager Configuration Profile

On a modern workplace users like to have options, and having support for the Mozilla Firefox browser within you Conditional Access framework is a good thing. So let’s hope the feature comes out public preview soon so that we can also support the FireFox browser as well.

I did a quick check on whether the Tor Browser was also supporting the functionality, but as you can see that browser is still based on Mozilla Firefox 78.14.0esr. It will most probably be a matter of time before the TOR browser supports this functionality as well, and it will be interesting to see how we can handle that.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new#public-preview—azure-ad-single-sign-on-and-device-based-conditional-access-support-in-firefox-on-windows-10

https://support.mozilla.org/en-US/kb/windows-sso

https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies

https://www.inthecloud247.com/manage-new-admx-backed-windows-10-policies-with-microsoft-intune/

https://github.com/mozilla/policy-templates/releases

https://docs.microsoft.com/en-us/windows/client-management/mdm/win32-and-centennial-app-policy-configuration

https://github.com/mozilla/policy-templates/releases

https://github.com/mozilla/policy-templates/blob/master/README.md#windowssso

https://support.mozilla.org/en-US/kb/managing-firefox-intune

Previous articleMy Experience of Covid-19
Next articleBack to the App Protection Policies
avatar
I started my career in 1995 as a System Engineer in the broadcast industry, building and maintaining video editing suites and television studio's and later specializing in Telecine equipment. In 1998 I switched to a first line support function within the Information Technlogy on the dealing room of a large bank, working my way up to a 3rd line support engineer. From this position i started to work on projects, which eventually resulted in projects where I worked across the border. In this period I implemented and designed several deployment solutions for mass rollout of workstations, laptops and servers. Since 2009 I switched to a consultancy function mainly focusing on but not limited to System Center design and implementation projects, besides that I became a Microsoft Certified Trainer (MCT) and currently teach System Center Related Classes (SCCM, SCOM and SCSM). In Januari 2010 I received the Microsoft MVP award with the expertise Setup & Deployment which was extended in 2011 and 2012. In 2013 and 2014 I was awarded the VMware vExpert award. In october 2014 I received the Microsoft MVP award with the expertise System Center Cloud and Datacenter Management (SCCDM).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.