Microsoft Edge enterprise sync fails mysteriously

This was a new experience. One customer had more or less nothing in the Microsoft Cloud but has started their journey. Since they apply under Swedish Government laws there are some restrictions on what they are allowed to sync and not to cloud services. Everything has to be done backed with a proper risk assessment analysis, so things takes time. I was helping out with Intune and device management, of course cloud only. Then we discovered that Edge profile sync did not happen.

2 x Sync

Microsoft Edge Enterprise Sync enables organisations to synchronise browser data, such as favourites, passwords, history, settings, open tabs, and extensions, securely across devices. It uses Azure AD or Microsoft Entra ID for authentication, ensuring data is encrypted both in transit and at rest. This feature provides users with a consistent browsing experience across multiple devices while maintaining enterprise-grade security and compliance.

Enterprise State Roaming extends synchronisation beyond browser data, enabling Entra ID users to sync Windows settings, app data, and personalization across devices. It ensures a consistent user experience by roaming settings like desktop configurations and taskbar preferences, providing seamless transitions between devices while maintaining enterprise-grade security and compliance.

The difference

With Edge Enterprise Sync, the sync solution operates independently of the Windows sync ecosystem. This flexibility allows Microsoft Edge to be available across multiple platforms, including Windows 10/11, iOS, Android, and macOS. It also supports sync for non-primary accounts on Windows and enables a more agile release schedule compared to Windows updates.

ESR is designed as a Windows-centric feature with specific data-handling promises for Windows devices. However, Microsoft Edge sync extends its functionality beyond Windows, roaming data across a variety of devices. This broader scope makes it challenging to align the Microsoft Edge sync offering within the ESR framework.

So we want to go for and enable Edge Enterprise Sync!

Requirements

Making the Edge Enetrprsie Sync avaiable for users there are some requrements. In the MS article here a more detal can be read but in short:

  • Microsoft Entra ID Plane 1 or 2
  • Microsoft 365 Business Premium, Business Standard, or Business Basic
  • Office 365 E1 and above
  • All A licenses aka Education

The big difference is that Edge sync needs AIP to work or it can use Enterprise State Roaming.
Customers that only have Microsoft Entra ID P1 or P2 must enable Microsoft Entra Enterprise State Roaming (ESR). Microsoft Edge sync isn’t part of ESR, but ESR is required to provide the AIP functionality that’s needed for the P1 and P2 configurations.

Problem

I this case I had Microsoft 365 E3 on the users So I should be covered with the pre-reqs including AIP.
Enterprise state roaming is turned of. Since we are using Edge Enterprise Sync that service is not used.


In Intune we configured an policy for Edge with the settings below. And it has been applied fine.

Yet the users are fronted with this issue?!?


Sorry about the Swedish screenshot but it says “Not syncing” and “Synchronisation for this device has been disabled by the organization”

Looking into the edge://sync

Feature not supported????
let’s head over to the Sync Logs tab. And there we see an issue

OK so AIP is not enabled. But we have the license and AIP is enabled by default as far as I know.
Then I remembered something…..

Starting July 1, 2018, we will be enabling the protection features in Azure Information Protection to customers with the eligible Office 365 licenses.

Checking with the customer, the tenant was created 2017 even though they never used any services at that time.

Checked the status and yes it is disabled. Lets enable it!

You need the AIP module and Connect to the service. You find the info you need in this link.

Finally we got a successful Edge sync

Leave a Reply

Your email address will not be published. Required fields are marked *