That is probably just a setting missing from your Firefox profile that allows your company Kerberos realm/domain. If your institution hasn't locked down your Firefox config, you can fix this yourself: https://docs.redhat.com/en/documentation/red_hat_enterprise_...

I suspect nowadays it's more likely a matter of integrating with Microsoft's "identity broker", part of Intune, aka "Company Portal".

You use Intune to log in and register your device against your Microsoft account, and microsoft-identity-broker is a DBus service that hands out tokens that can be passed to login.microsoft.com (either as a cookie or a special header) which identifies you (skipping the username/password login) and allows you to pass the company device test.

I was able to put together a working ad-hoc extension for Firefox to make the DBus call and pass the header, though I've since come across this extension (haven't tried it myself) which looks like it achieves the same thing (with a lot more features, based on the code size?):

https://github.com/siemens/linux-entra-sso

Edge on Linux seems to have this built in, so if you open any page on login.microsoft.com, you'll see it passing some "x-something" header with a token that it receieved from the identity broker (generated on each page load).

How does this work if the conditional access policies require compliance with Microsoft's "security baseline" which involves e.g. checking that the latest Windows updates are installed?

Presumably the Microsoft software running on the Linux machine will report it as non-compliant and prevent you from logging in?

Microsoft Intune is officially available for Linux. This mechanism doesn't involve making a Linux system pretend it's Windows. It's just about making non-Edge browsers able to authenticate as Edge does.

Microsoft is aware that the authentication is coming from a Linux system, so presumably there are different policies involved.

I don't know how these things are administrated, but the Linux Intune software has a notion of "Compliance" that might involve periodically running some program decided by the company. If Intune decides the system is non-compliant, authentication still works, but Microsoft login knows the compliance status, so it might prevent you from accessing certain applications, depending on what the company has configured.

Also in my experience ability to sign in from Linux can be limited to certain groups, so regular Windows users can't just run Linux without some company approval.

It’s really not. Edge bundles a number of authentication libraries with the Linux version that enable things like remote passkey support.

What is "remote passkey support"? I am familiar with passkeys (both resident and non-resident). But I haven't heard of remote passkeys yet.

I guess maybe passkeys over some kind of USB/RDP redirection. But searching the internet doesn't yield any useful results. Or maybe something new and proprietary like all those incompatible passkey implementations out there...

Bluetooth binding to your mobile device, which then handles MFA with biometrics.

You can't use KeepassXC + Firefox? Might need to downgrade the KeepassXC browser plugin (because of a bug)

Nope. Not even close to the same functionality here.

I feel reasonably confident that if the focus is on open tooling and sovereignty and not saving money then a shift to Linux can 100% work even at large and complex organizations.

This sounds really interesting. Are you able to share more about this (even in private) for inclusion in https://eu-os.eu/use-cases ?

>Half the team runs Linux, and the only real constraint is using Edge for SSO. (Firefox works too - you just have to actually log in like it's 2008.)

So everything in the backend is still MS? Office 365, Intune, the full stack? That is the point of the comment you are rerplying to.

The "terminals" dont matter that much if the goal is to get rid of MS dependancy and they run Office 365... whats the point.

Windows licensing cost. They are a pretty penny at large scale.

Sometimes, the goal isn’t actually to switch - it’s to have a credible threat of switching. That alone can bring Microsoft to the table with a whole new attitude toward pricing.

Munich pulled off a version of this around 2010: announce a bold move to Linux and open source, let Microsoft panic, enjoy the sudden price cuts, and quietly stay put.

Personally, I think cost is just one part of the equation. The real value is being in a position where you’re not locked in—and where Microsoft knows it. That leverage is worth more than any licensing discount.

For workstation or laptops?? Non-factor for a business.

It is included in Office 365 E3/E5 that also does Intune device management, apps, Defender, the whole shebang. Nobody cares about individual licence costs.

Windows Server? Yea, that costs for sure, but that's not running on laptops.

> using Edge for SSO

May I ask what that SSO solution is? Because it sounds like it might be a Microsoft product.

Yeah, probably is. I see the same HTTP Auth login when accessing my employers intranet (Sharepoint) from Firefox.

Honestly, I’m not entirely sure.

I’ve seen the name Forgerock pop up occasionally, but I don’t know if that’s just tied to the login component on the web pages. Also, they recommend Mac users stick with Safari, which is puzzling. I mean: if it was a Microsoft product, you’d think they’d lock it down to Edge on Mac too—so that makes me wonder.

Just my thoughts—could be totally off base.

My guess -- they support Safari because of iOS. And so might as well just support it on Mac too because it's the default... Heck MS even made Teams more officially supported on Safari than Firefox!

Forgerock would make sense, though the Edge requirement is a little strange.

kerberos is sort of magic when/if you finally get it working