Skipping the Username Prompt: A Better SSO Bookmark for Intune

Here’s a quick tidbit.

When you set up SSO for Entra / Office 365 in Okta you can choose which tiles to show on the end-user dashboard, but Intune is not one of the options. A simple bookmark app to intune.microsoft.com could suffix, but then you have to enter your username before redirecting back to Okta. I wanted a solution that would automatically log me in like a true SSO, since other Microsoft apps could do it, I knew it might be possible.

Failed Attempts

The first thing I tried to mess with was the RelayState parameter, but it didn’t get passed through after the authentication. And then I tried reverse engineering the wctx parameter. I’m not even going to go into that, it was a bust.

After a bit of time has passed, I picked this back up. I found the https://intune.microsoft.com/{tenant}.onmicrosoft.com link, this still did not auto-IdP but it got closer because now I found the /authorize link. I stripped the link down as much as possible while still being able to log in. However, I could not use it as a final solution because code_challenge needs to be dynamic, and a bookmark is static. Still, it proved the concept worked.

https://login.microsoftonline.com/<tenant_name>/oauth2/v2.0/authorize
  ?client_id=c44b4083-3bb0-49c1-b47d-974e53cbdf3c
  &scope=https://management.core.windows.net//.default+openid+profile+offline_access
  &redirect_uri=https://intune.microsoft.com/auth/login/
  &response_mode=fragment
  &response_type=code
  &code_challenge={random}
  &code_challenge_method=S256
  &domain_hint={domain}

The client id is registered under “Azure Portal” according to https://github.com/merill/microsoft-info.

Breakthrough

I kept thinking about how to dynamically generate the code_challenge. If I go to intune.microsoft.com, it redirects to the /authorize link, but I needed a way to inject the domain_hint parameter. Since the link was generated client-side, I could see the logic and my available options. It was a Hail Mary, if Microsoft hadn’t left a hook for me, I’d be stuck.

Lo and behold, there was something in signInParameters that allows pass through of extra parameters in JSON key-value url-encoded. So the final link is:

https://intune.microsoft.com/{tenant}.onmicrosoft.com
  ?signInParameters=%7B%22domain_hint%22%3A%22{domain}%22%7D

It’s not over

I’m still facing one dilemma: multi-tenant scenarios. If you are already signed into one tenant and use this link to access another, it finds the existing session and won’t re-prompt for credentials. While MSAL.js has a prompt parameter, the client-side code doesn’t allow direct control over it. Only prompt=select_account can be set, which unfortunately breaks the automatic login.