So I’ve been trying to get the new Edge to open, sign in automatically with the current user’s Azure AD credentials and then turn on sync, without any screens to click through or anything like that.
I had got about as close as is possible – user opens the browser, it signs them in and asks if they want to sync or not. From version 86 there is a new GPO setting to force sync without prompting the user. Hooray!
To get this to work we have the UserPrincipalName of all our accounts identical to the Office 365 primary email address (and sign-in name). The devices are all hybrid Azure AD domain joined (see here if you thought you couldn’t set this up as it wants a forest level SCP)
You’ll need the group policy templates for Edgium installed – see “Managing Settings” on this post if you’ve not done this yet.
Set the following policies under User Configuration -> Policies -> Administrative Templates -> Microsoft Edge:
Browser Sign-in Settings: Force users to sign in
Configure whether a user always has a default profile automatically signed in with their work or school account: Enabled
Hide the first-run experience and splash screen: Enabled
Force synchronization of browser data and do not show the sync consent prompt: Enabled (new setting for v86)
For sync to work you will need either an education SKU Office 365 or any subscription which includes Azure Information Protection (the cheapest way if you don’t have such a subscription is to just licence AIP as it’s £1.51/user)
I also set the following policy to prevent users signing in with their non-school accounts:
Restrict which accounts can be used as Microsoft Edge primary accounts
The format for this is .*@domain.com (the leading dot is important), and if you have multiple domains it’s .*@email@example.com