• English
Shop

| | Modern Workplace 0

Microsoft Edge Chromium – Internet Explorer Integration, Beta channel, AAD single sign-on – Updated 9/15

Introduction

 

More than six weeks have passed since I last wrote about this topic, and while most people (myself included) were enjoying their summer holiday, the developers at Microsoft have been busy building new features for the latest versions of their new Edge browser based on the Chromium open source project. You’ll find the official roadmap below, but there are a few features I want to focus on today.

 

First, the Beta Channel of Microsoft Edge (Chromium) has become available.

Secondly, seamless single-sign on support for Azure Active Directory accounts is available in all three Channels of Edge (Chromium).

Lastly, Internet Explorer Integration. While IE mode is not a new feature per se, I want to focus on this feature because I think it brings the most value to enterprise customers, and I have not seen other blog articles detailing its use to switch automatically between Edge (Chromium) and a rendering of Internet Explorer 11 inside an Edge browser tab.

 

chredgeroadmapenterprise.jpg

Beta Channel

 

Since August 20, the third and final preview channel of Edge, called Beta, has been available for download (official announcement).

With a six-weekly cycle for new feature releases, it represents the most stable branch of the Edge (Chromium) previews but is also the last to receive any new features. Security updates and bugfixes, can be delivered almost any day, however.

There will not be another preview channel of the browser. This is a good sign for development because it means that the browser is deemed stable enough to test for any interested users, not just developers and sysadmins, and also means that the software is getting closer to an official and supported release.

As of today, it is also the only channel of the browser that allows sync for AAD accounts, but more on that below.

Just like the Dev Channel, the Beta Channel will install properly to your program files directory, if the installer is run with admin rights. The Canary channel does not do this, and, as a result, is less secure because any standard user can tinker with or replace the browser.

Note that group policy for Microsoft Edge (Chromium) is always applied to all channels. That means that if you made policies for the Dev Channel of Edge, they will immediately apply to the Beta Channel of the software should you choose to install it. The only exception is the updater software for the browser, which has separate settings for each channel.

Stability is crucial for software, especially when it comes to web browsers. Beta is the best channel to use for enterprise evaluation.

That said, I have found the Dev channel to be perfectly stable in daily use, and recommend it for IT pros who want to follow the development of new features a little more closely, and benefit from new features sooner and more frequently.

 

Single sign-on with Azure Active Directory Accounts

 

From the beginning, Edge (Chromium) users have been able to sign in to the browser using their Microsoft Account to sync settings and data. In late August, this capability has been extended to corporate users who sign in using an Azure Active Directory Account provided by their workplace or school. This gives Chromium users another alternative to Google for sync and enables seamless Single sign-on for Microsoft services such as Azure or Office 365. The experience is quite seamless, signing the user in automatically if there is a work or school account connected to the device, and subsequently enabling single sign-on for this account.

This user can now visit any corporate site such as outlook.office.com and is signed in automatically with this browser.

 

 

As for sync, there a few limitations at the moment. Firstly, syncing your data with an AAD account is only possible for Azure Active Directory Premium Accounts (source). Secondly, sync for AAD accounts works with the current Beta build, but does not seem to work with this week’s Dev (78.0.249.1) or today’s Canary ( 78.0.262.0) releases. Lastly, just like Microsoft Accounts, the AAD accounts cannot sync history, open tabs, or extensions yet. The only items that can be synced are favorites, settings, passwords, and entries for addresses and phone numbers.

 

 

Internet Explorer Integration

 

In my previous article, I argued that IE Mode has the potential to become the single most valuable new feature of Microsoft Edge (Chromium) for enterprises, and also an improvement over the IE integration in the old Edge (UWP).

After taking some time to test it, I think that the current version manages to fulfill this expectation and would like to demonstrate how you can benefit from it.

Once configured correctly, you can open any sites that require Internet Explorer in a new tab inside Edge (Chromium), eliminating the need to open an Internet Explorer window and switch between browsers. This makes for a faster and more seamless experience for end users, who may not even notice that they are using Internet Explorer for some sites.

This solves the dilemma of needing IE for legacy sites but also requiring a fast and secure browser for most other websites. Just open everything in Edge. I’ll show you how.

For this tutorial, I am using the classic example of legacy IE requirements: Silverlight. The site at demos.telerik.com can be used to demonstrate Silverlight in Internet Explorer 11. As expected, this page only works in Internet Explorer. Here’s how it looks in IE11, and Edge Beta, respectively.

 

 

1. IE mode

 

First, we need to make sure that Edge can use IE mode, and see if the page works in that mode. IE mode is available from Edge (Chromium) version 77.

IE mode is available not only for Windows 10 1709 through the latest 1903, but also Windows 7, Windows 8/8.1, Server 2019, and Servers 2008R2 and 2012R2. Unfortunately, Microsoft says it does not work in older Windows 10 releases or Server 2016 yet, but will be supported in the future as all platforms that support IE11 will support it.

Testing was done on Windows 10 1809 and 1903 with the latest cumulative update installed. If IE mode doesn’t work for you, make sure you have the latest cumulative update installed.

We can enable IE mode via the group policy “Configure Internet Explorer Integration” and setting it to “Internet Explorer Mode”.

 

 

The browser will now check the IE policy for the Enterprise Mode Site List if there is a page that needs to be opened in IE, or, can be set to open all Intranet Sites in IE mode automatically (via the policy “Send all Intranet Sites to Internet Explorer” found under the same path).

The third option is unsupported and may be removed at any time. But, we can add a flag to Edge to open pages in IE mode manually. Add

--ie-mode-test

to the launch options of the browser and you will find a new menu item (and a warning message) in Edge Canary, Dev or Beta:

 

 

Microsoft will likely remove this flag from final versions of the browser, leaving only businesses and professionals with the option to open certain sites in IE mode (source). While making it less useful, it is understandable from a security perspective that Microsoft doesn’t want home users to open any site in IE mode when they are using Edge (Chromium), as it opens up the browser to the same exploits that IE11 might be vulnerable to. It is probably best to only allow IE mode for a few selected URLs that have been configured, but for the moment we can use this flag to open any site we want in IE mode.

This allows us to open the previous demo again. Now, Edge (Chromium) is using IE Mode to display the website and Internet Explorer is rendered inside the Edge window. This is indicated by the little blue IE logo. The site looks and works exactly like IE11. This means that most functions and extensions of Edge do not work in such a window, as the functionality is that of IE11.

 

 

This means that the site works in IE mode. Therefore we should add it to our Enterprise Mode Site List.

 

2. Using Enterprise Mode Site List with Edge (Chromium)

 

This feature was initially used to set the document modes for IE via Group Policy. Later, support for Microsoft Edge was added, so that users in the enterprise could switch between Edge (UWP) and IE automatically. Since Edge is a UWP and IE is a Win32 application, this always required separate browser windows. This lead to confusion because the user would suddenly have two open browsers instead of just one. Luckily, Edge (Chromium) is also a Win32 application, which allowed the developers to integrate IE11 in Edge tabs.

For those unfamiliar with the Enterprise Mode Site List, see this article by my colleague Jan or read the documentation.

You can use the Enterprise Mode Site List manager to create the site list. It validates the URLs automatically and allows you to stay organized by checking notes and version numbers. Make sure to set the websites you want to open in IE mode to open in IE11.

 

 

Export to XML, and copy it to a public location all your users can access. This could be a file share in your organization, or a local folder if you are just testing on a single machine. Here is the sitelist.xml we are using in our example:

<site-list version="5">
  <created-by>
    <tool>EMIESiteListManager</tool>
    <version>10.0.14357.1004</version>
    <date-created>09/02/2019 13:00:56</date-created>
  </created-by>
  <site url="www.sepago.de">
    <compat-mode>Default</compat-mode>
    <open-in>IE11</open-in>
  </site>
  <site url="demos.telerik.com/silverlight">
    <compat-mode>Default</compat-mode>
    <open-in>IE11</open-in>
  </site>
</site-list>

 

Now, since we already enabled IE mode support in Edge (Chromium), all we need to do is point the policy to the location of the Enterprise Mode Site list. Edge honors the Internet Explorer policy in this case, so we specify it there.*

 

 

After running gpupdate or waiting for the group policy refresh, the next step is to be patient – Microsoft says that Edge generally waits for 65 seconds before processing the Enterprise Mode Site List, and we have unfortunately found that to be true in most cases.

Now, any site we specified on our sitelist.xml will be opened in IE mode automatically. Even the homepage, if necessary.

All other pages will still open normally.

 

 

*Update: New Policy for specifying sitelist.xml

A few weeks after writing this article, Microsoft has released a couple of new policies, among them the option to specify separate sitelists for IE/Edge (UWP) and the new Edge (Chromium).

In addition to the existing policy in the Internet Explorer tree, there is now an identical policy called “configure the Enterprise Mode Site List” in the Microsoft Edge policy tree. This might be useful for Developers and Enterprises that want to test just IE mode, without touching the existing IE and Edge site list.

 

Thanks for reading, share or comment if you would like to see more Edge (Chromium) content in the future.