Using device state for an improved SSO experience on browsers with blocked third-party cookies

Emily Lauber

On browsers where third-party cookies are blocked, enterprise admins can ensure a continued single-sign on (SSO) experience for their users by leveraging browser features for device identity. Applying device identity minimizes the need for third-party cookies as the authentication state can come from the device instead of the browser. Safari and Firefox already have the default behavior of blocking third-party cookies and Chrome announced to similarly start third-party cookie blocking as the default behavior in 2024. We encourage IT admins to leverage device identity to maintain single sign-on experiences for supported websites regardless of third-party cookie behavior.

Are you a single-page application (SPA) developer looking for guidance on third-party cookie blocking? Check out our previous blog post, SPA developers: migrate to auth code flow with PKCE, and our documentation on how to handle third-party cookie blocking in browsers.

Browser and device platform support varies across the ecosystem and is constantly evolving. Please refer to the conditional access documentation for the most up-to-date information. A summary of available device identity for browsers is outlined below and is up-to-date as of the time of writing this blog post.

Edge on Windows

Microsoft Edge has a built-in seamless single sign-on feature on the Microsoft identity platform that enables the account the user logged into a Windows machine with to be authenticated to the user’s browser profile. When connected to the browser profile, the account can use SSO to sign in to supported websites. IT admins can configure that an Edge work profile is required or restrict sign-in to trusted accounts. More details at Microsoft Edge identity support and configuration

Chrome on Windows

Chrome users on Windows 10+ can leverage CloudAPAuthEnabled to share identity states between the device and browser. CloudAPAuthEnabled is the Chrome specific API that enables single sign-on for supported websites using the account logged into the Windows machine. This feature is available in Chrome 111+ and requires a registry key to be enabled.

Safari on MacOS and iOS

Microsoft supports SSO for Safari users on macOS and iOS with the Microsoft Enterprise SSO plug-in for Apple devices. This SSO feature is built into the following apps:

Microsoft Authenticator on iOS and iPadOS as well as Microsoft Intune Company Portal on macOS .

Firefox on Windows

Firefox users on Windows 10+ can leverage “Allow Windows single sign-on for Microsoft, work, and school accounts”. This feature is available in Firefox 91+ and can be enabled by the end user via Settings. End users can navigate to the Firefox menu, then Settings, then Privacy & Security. You’ll then see the ‘Allow Windows single sign-on…’ checkbox under the Logins and Passwords section.


Discussion is closed.

Feedback usabilla icon