← Back to context

Comment by maxdamantus

4 days ago

I suspect nowadays it's more likely a matter of integrating with Microsoft's "identity broker", part of Intune, aka "Company Portal".

You use Intune to log in and register your device against your Microsoft account, and microsoft-identity-broker is a DBus service that hands out tokens that can be passed to login.microsoft.com (either as a cookie or a special header) which identifies you (skipping the username/password login) and allows you to pass the company device test.

I was able to put together a working ad-hoc extension for Firefox to make the DBus call and pass the header, though I've since come across this extension (haven't tried it myself) which looks like it achieves the same thing (with a lot more features, based on the code size?):

https://github.com/siemens/linux-entra-sso

Edge on Linux seems to have this built in, so if you open any page on login.microsoft.com, you'll see it passing some "x-something" header with a token that it receieved from the identity broker (generated on each page load).

2 comments

maxdamantus

Reply
ptx  4 days ago

How does this work if the conditional access policies require compliance with Microsoft's "security baseline" which involves e.g. checking that the latest Windows updates are installed?

Presumably the Microsoft software running on the Linux machine will report it as non-compliant and prevent you from logging in?

  • maxdamantus  4 days ago

    Microsoft Intune is officially available for Linux. This mechanism doesn't involve making a Linux system pretend it's Windows. It's just about making non-Edge browsers able to authenticate as Edge does.

    Microsoft is aware that the authentication is coming from a Linux system, so presumably there are different policies involved.

    I don't know how these things are administrated, but the Linux Intune software has a notion of "Compliance" that might involve periodically running some program decided by the company. If Intune decides the system is non-compliant, authentication still works, but Microsoft login knows the compliance status, so it might prevent you from accessing certain applications, depending on what the company has configured.

    Also in my experience ability to sign in from Linux can be limited to certain groups, so regular Windows users can't just run Linux without some company approval.