How to work with multiple Microsoft 365 Identities Using Browser Profiles
Introducing Microsoft 365 Identities
The Microsoft 365 (M365), and Azure, ecosystem relies on an identity solution called Entra ID, formerly known as Azure Active Directory. These identities are leveraged by users to access Microsoft 365 services, such as Exchange Online, SharePoint Online, and Teams. In some cases, federated authentication means your M365 identity can also be used to access non-Microsoft resources. This is akin to accessing a website using the "Login with Google" or "Login with Facebook" option. As an example, at AGE we leverage Federated Identity for our Timekeeping system, providing a seamless single sign-on capability. These applications are referred to as "relying 3rd party applications", as they rely on Entra ID.
Introducing Microsoft 365 Tenants
In the M365 ecosystem, the base unit of separation is known as a "tenant". Most commonly, the tenant represents an organization, such as AGE Solutions or DISA. Identities live within Tenants and commonly leverage an email address as the principal name, such as joe@age.solutions. Tenant names are otherwise arbitrary and typically obfuscated from users, however their organization's domain is associated to the tenant. For example, the age.solutions domain is associated to AGE's otherwise arbitrarily named tenant.
When logging into an M365 or relying 3rd party application, users are presented with a Microsoft login page. When the user inputs their username (email address), Microsoft is able to match the domain to the tenant and then properly direct authentication to the correct tenant.
Default and Cached Credentials
Many organizations that leverage Microsoft Edge will enable a feature in the browser's default profile that automatically logs you into M365 services with your work or school account associated with the computer you are on. For example, DISA employees using their DISA laptop can launch https://webmail.apps.mil (Exchange Online M365 service) and will not be prompted to login, because their DISA account is already connected on the computer and this feature is enabled. Furthermore, once a user has logged into any M365 service, their credentials will be cached in the browser, enabling them to quickly access any other M365 service without needing to sign in again. This is known as single sign-on. Collectively, these two features result in a rather seamless experience for the user on their organization's issued computers, everything just works and the user isn't routinely prompted to login.
However, users with multiple personas, meaning someone with unique identities in multiple different tenants, often experience confusion and frustration as they attempt to access resources and are told they do not have permissions.
Let's explore a scenario where an AGE employee uses a DISA laptop to try and complete their timesheet.
If the employee opens the default Edge profile on their DISA laptop, this profile will automatically be logged into their DISA account. When they attempt to browse to Azure MyApps (https://apps.age.solutions), the browser will automatically present their DISA credentials resulting in the user seeing the Azure MyApps associated with their DISA account, not their AGE account, and thus no chicklet for Unanet Timekeeping.
How To Simultaneously Access M365 Services Using Different Identities
Fortunately, you have several options for accessing services in different tenants. We'll cover the most common, but depending on your organization's security posture and settings, some of these may not be available.
- Private or Incognito Browser - recommended only for temporary, one-off needs to access a different tenant.
- Browser Profiles - recommended for users that routinely need to access more than one tenant.
- Separate Browsers - can be leveraged if the user already has multiple browsers installed.
1. Private or Incognito Browser
When you open a Private or Incognito Browser, it essentially creates a new instance of the browser with no cached credentials (cookies). By simply launching an incognito browser, you will be able to navigate to M365 (or relying 3rd party applications) and be prompted for login. This will allow you to login to different tenants between the standard and incognito browser instances.
To open Private/Incognito mode, you can right-click on the browser icon in your system tray and select In-Private/Incognito.
Some organizations, such as DISA, block In-Private/Incognito options on their installed browsers. In such instances, you'll need to use Browser Profiles as outlined below.
2. Browser Profiles
Most modern browsers, including Microsoft Edge and Google Chrome, support multiple Profiles. Each profile maintains its own cached credentials, browser history, favorites, cookies, etc. Additionally, most organizations do not restrict the use of Profiles. This makes Browser Profiles the optimal solution for accessing data in multiple M365 tenants (or 3rd party relying applications).
If you're using Microsoft Edge Profiles, you will be prompted to sign-in with your M365 account. This sign-in at the profile level allows the Edge browser to sync your settings, favorites, and history through the M365 tenant, allowing you to simply sign-in to the Profile on a new computer to have all of those items restored.
While sign-in works, syncing of settings through US Government and DoD tenants is not currently supported. You can still login when creating the new Profile, but understand that your settings will not be synced.
DISA GFE Setup Instructions
Your DISA GFE leverages the Microsoft Edge browser with a Default Profile that is linked to your Windows account (e.g. your @mail.mil account). As described above, whenever prompted for an M365 login, that profile will automatically authenticate using the Windows Integrated Auth. This means that browsing to something like https://apps.age.solutions, which is a redirect to MyApps service in M365, you'll already be authenticated with your DISA account, and thus will not be able to access AGE resources.
To mitigate that, we'll need to setup a separate Edge Profile to use for access to AGE resources. However, there is a significant caveat in that DISA leverages Cloud Based Internet Isolation (CBII), which you may know as "Menlo Security". This service is designed to protect users when browsing the internet and requires users to first authenticate to the Menlo cloud security gateway, which relies on M365 federated authentication. We'll walk you through how to setup your profile and access AGE resources.
AGE requires Multi-Factor Authentication to access our resources. If you work in a facility where you do not have access to your phone, you'll need to enable your AGE account for CAC authentication. Please see the CAC Authentication for AGE Resources KBA for more details. You must complete this step before proceeding!
First, on your GFE, you'll need to launch the Edge browser (Default Profile). In the top right, click the Profile icon --> Select Setup a New Profile --> Work or School, as depicted below.
A new Edge window will open, this window is associated with the newly created profile. You'll need to again select the Profile icon to sign into your AGE account.
You will then be presented with a Microsoft Sign In window. Enter your AGE email address and select Next. You should then be prompted to authenticate with your CAC. If this doesn't happen, please look for a link to Sign in With Certificate. After authentication, the window will close and the new profile will now be associated with your AGE account.
At this time, the taskbar should show a second Edge Browser icon, which is the window associated with your AGE profile. It is highly recommended to Right-Click and select Pin to Taskbar, as this will give you a shortcut to accessing AGE resources in the future.
Next, we'll need to handle Menlo Security (CBII), which requires you to authenticate with your GFE account. In the new profile, open a new tab and browse to www.google.com, which should result in an authentication prompt that includes the "Doggles" (Dog in Goggles) background, which is the hint that you are authenticating to a DISA managed endpoint. You do not need to type a username or password, simply click "Sign in with CAC/PIV" and select your certificate. This important step is necessary each time you launch this browser profile, as it tells Menlo which government user account is trying to browse the web.
Next, you'll open a new tab and attempt to browse to https://apps.age.solutions, which will likely automatically authenticate you using (incorrectly) your government account. In the upper-right hand corner, below the browser profile icon, you should see your government account icon. You'll need to select that and choose Sign Out. After doing this, browse to https://apps.age.solutions again and this time select "Use another account" to enter your age email address. Since your account is CAC enabled, you should be prompted to authenticate with your CAC and will subsequently be presented with the appropriate MyApps page for AGE Solutions.
As a general rule of thumb, when you click any chicklets on MyApps, if you're presented with a login screen that has AGE Solutions logo in the background, you're successfully using the correct identity.
Next, you'll open a new tab and attempt to browse to https://apps.age.solutions, which will likely automatically authenticate you using (incorrectly) your government account. In the upper-right hand corner, below the browser profile icon, you should see your government account icon. You'll need to select that and choose Sign Out. After doing this, browse to https://apps.age.solutions again and this time select "Use another account" to enter your age email address. Since your account is CAC enabled, you should be prompted to authenticate with your CAC and will subsequently be presented with the appropriate MyApps page for AGE Solutions.
As a general rule of thumb, when you click any chicklets on MyApps, if you're presented with a login screen that has AGE Solutions logo in the background, you're successfully using the correct identity.
General Setup Instructions
For instructions setting up profiles on Microsoft Edge, please view Microsoft's guidance here: How to Add New Profiles to Microsoft Edge | Edge Learning Center.
For instructions setting up profiles on Google Chrome, please view Google's guidance here: Use Chrome with multiple profiles - Computer - Google Chrome Help
You can separately pin each profile to the taskbar in Windows, allowing you to have a quick and easy way to open the correct profile for whatever tenant you are intending to access. In the below figure, you can see 8 different profiles have been pinned to the taskbar.
Critically, the existence of multiple profiles can be problematic when clicking links. Microsoft Edge, by default, will attempt to figure out which profile should be used for the link based on the URL. This often results in undesirable and confusing behavior. As a result, it is strongly recommended to disable automatic profile switching in every profile you setup.
To disable automatic profile switching, you will need to complete the following steps in EACH browser profile session, navigate to edge://settings/profiles/multiProfileSettings. Here you can see many options to customize your system behavior. In the below image, you can see that all profile switching has been disabled, and the "Default profile for external links" is set to "Last Used".
Please notice, the final option on the above page allows users to specify a profile to use based on the URL which may be useful in some instances. When in doubt, users can always simply copy a link and paste it directly into the desired profile as well.
3. Separate Browser
The final option is to use different browsers. Cached credentials, cookies, history, and favorites are not shared between different browsers. As such, you can login to Tenant A using Microsoft Edge, and Tenant B using Google Chrome, without any issues. This option obviously has limited use as it requires a 1:1 relationship between installed browsers and tenants, which generally doesn't scale well.
However, for users that simply need to do timesheets and such, this is a good option. For DISA users, simply open Chrome and browse to any site. You'll be prompted to authenticate and should use your DISA account (CAC) as this is Menlo CBII. After completing that authentication, you can browse to https://apps.age.solutions and will again be prompted to authenticate, this time enter your AGE email address. You'll again use your certificate to authenticate and should then be able to access AGE resources.
However, for users that simply need to do timesheets and such, this is a good option. For DISA users, simply open Chrome and browse to any site. You'll be prompted to authenticate and should use your DISA account (CAC) as this is Menlo CBII. After completing that authentication, you can browse to https://apps.age.solutions and will again be prompted to authenticate, this time enter your AGE email address. You'll again use your certificate to authenticate and should then be able to access AGE resources.
Related Articles
How to Access Azure Virtual Desktop (AVD) / Remote Desktop
Preface AGE leverages Azure Virtual Desktop (AVD) for a number of use cases including consultant access, developer access, and student training. As the name implies, AVD relies on Microsoft Azure, which means you'll need to leverage your Entra ID ...Software for your AGE Computer
Introduction Due to DoD requirements, AGE must restrict users from installing software on AGE-owned computers unless it is approved by AGE. Approved software that you are licensed for can be found in Apps in the Company Portal. If you require ...Enroll Apple iOS device in BYOD
Introduction As part of our Bring Your Own Device (BYOD) program, AGE supports the use of personal mobile devices (Android and iOS based only) for accessing AGE resources. Personal mobile devices must be enrolled in AGE mobile device management in ...How to Setup a New AGE Computer
Preface First things first, Microsoft loves to change the Windows first run process so these instructions may not be exactly inline with your experience. Nevertheless, do your best and push forward. The key is to get the device enrolled using your ...Enroll Android device in BYOD
Introduction AGE supports the use of personal mobile devices (Android and iOS based only) for accessing AGE resources. Personal mobile devices must be enrolled in AGE mobile device management in order to use mobile applications to access AGE ...