How to work with multiple Microsoft 365 Identities Using Browser Profiles
Introducing Microsoft 365 Identities
The Microsoft 365 (M365), and Azure, ecosystem relies on an identity solution called Entra ID, formerly known as Azure Active Directory. These identities are leveraged by users to access Microsoft 365 services, such as Exchange Online, SharePoint Online, and Teams. In some cases, federated authentication means your M365 identity can also be used to access non-Microsoft resources. This is akin to accessing a website using the "Login with Google" or "Login with Facebook" option. As an example, at AGE we leverage Federated Identity for our Timekeeping system, providing a seamless single sign-on capability. These applications are referred to as "relying 3rd party applications", as they rely on Entra ID.
This KBA is limited to AGE Solutions employees and authorized individuals. If you need to share similar content with someone outside of AGE, please consider directing them to this LinkedIn article.
Introducing Microsoft 365 Tenants
In the M365 ecosystem, the base unit of separation is known as a "tenant". Most commonly, the tenant represents an organization, such as AGE Solutions or DISA. Identities live within Tenants and commonly leverage an email address as the principal name, such as joe@age.solutions. Tenant names are otherwise arbitrary and typically obfuscated from users, however their organization's domain is associated to the tenant. For example, the age.solutions domain is associated to AGE's otherwise arbitrarily named tenant.
When logging into an M365 or relying 3rd party application, users are presented with a Microsoft login page. When the user inputs their username (email address), Microsoft is able to match the domain to the tenant and then properly direct authentication to the correct tenant.
Default and Cached Credentials
Many organizations that leverage Microsoft Edge will enable a feature in the browser's default profile that automatically logs you into M365 services with your work or school account associated with the computer you are on. For example, DISA employees using their DISA laptop can launch https://webmail.apps.mil (Exchange Online M365 service) and will not be prompted to login, because their DISA account is already connected on the computer and this feature is enabled. Furthermore, once a user has logged into any M365 service, their credentials will be cached in the browser, enabling them to quickly access any other M365 service without needing to sign in again. This is known as single sign-on. Collectively, these two features result in a rather seamless experience for the user on their organization's issued computers, everything just works and the user isn't routinely prompted to login.
However, users with multiple personas, meaning someone with unique identities in multiple different tenants, often experience confusion and frustration as they attempt to access resources and are told they do not have permissions.
Let's explore a scenario where an AGE employee uses a DISA laptop to try and complete their timesheet.
If the employee opens the default Edge profile on their DISA laptop, this profile will automatically be logged into their DISA account. When they attempt to browse to Azure MyApps (https://apps.age.solutions), the browser will automatically present their DISA credentials resulting in the user seeing the Azure MyApps associated with their DISA account, not their AGE account, and thus no chicklet for Unanet Timekeeping.
How To Simultaneously Access M365 Services Using Different Identities
Fortunately, you have several options for accessing services in different tenants. We'll cover the most common, but depending on your organization's security posture and settings, some of these may not be available.
- Private or Incognito Browser - recommended only for temporary, one-off needs to access a different tenant.
- Browser Profiles - recommended for users that routinely need to access more than one tenant.
- Separate Browsers - can be leveraged if the user already has multiple browsers installed, though this is completely unnecessary. Profiles are often a better solution.
1. Private or Incognito Browser
When you open a Private or Incognito Browser, it essentially creates a new instance of the browser with no cached credentials (cookies). By simply launching an incognito browser, you will be able to navigate to M365 (or relying 3rd party applications) and be prompted for login. This will allow you to login to different tenants between the standard and incognito browser instances.
To open Private/Incognito mode, you can right-click on the browser icon in your system tray and select In-Private/Incognito.
Some organizations, such as DISA, block In-Private/Incognito options on their installed browsers. In such instances, you'll need to use Browser Profiles as outlined below.
2. Browser Profiles
Most modern browsers, including Microsoft Edge and Google Chrome, support multiple Profiles. Each profile maintains its own cached credentials, browser history, favorites, cookies, etc. Additionally, most organizations do not restrict the use of Profiles. This makes Browser Profiles the optimal solution for accessing data in multiple M365 tenants (or 3rd party relying applications).
If you're using Microsoft Edge Profiles, you will be prompted to sign-in with your M365 account. This sign-in at the profile level allows the Edge browser to sync your settings, favorites, and history through the M365 tenant, allowing you to simply sign-in to the Profile on a new computer to have all of those items restored.
While sign-in works, syncing of settings through US Government and DoD tenants is not currently supported. You can still login when creating the new Profile, but understand that your settings will not be synced.
For instructions setting up profiles on Microsoft Edge, please view Microsoft's guidance here: How to Add New Profiles to Microsoft Edge | Edge Learning Center.
For instructions setting up profiles on Google Chrome, please view Google's guidance here: Use Chrome with multiple profiles - Computer - Google Chrome Help
You can separately pin each profile to the taskbar in Windows, allowing you to have a quick and easy way to open the correct profile for whatever tenant you are intending to access. In the below figure, you can see 8 different profiles have been pinned to the taskbar.
Critically, the existence of multiple profiles can be problematic when clicking links. Microsoft Edge, by default, will attempt to figure out which profile should be used for the link based on the URL. This often results in undesirable and confusing behavior. As a result, it is strongly recommended to disable automatic profile switching in every profile you setup.
To disable automatic profile switching, you will need to complete the following steps in EACH browser profile session, navigate to edge://settings/profiles/multiProfileSettings. Here you can see many options to customize your system behavior. In the below image, you can see that all profile switching has been disabled, and the "Default profile for external links" is set to "Last Used".
Please notice, the final option on the above page allows users to specify a profile to use based on the URL which may be useful in some instances. When in doubt, users can always simply copy a link and paste it directly into the desired profile as well.
3. Separate Browser
The final option is to use different browsers. Cached credentials, cookies, history, and favorites are not shared between different browsers. As such, you can login to Tenant A using Microsoft Edge, and Tenant B using Google Chrome, without any issues. This option obviously has limited use as it requires a 1:1 relationship between installed browsers and tenants, which generally doesn't scale well.
Related Articles
How to Access Azure Virtual Desktop (AVD)
Preface AGE leverages Azure Virtual Desktop (AVD) for a number of use cases including consultant access, developer access, and student training. As the name implies, AVD relies on Microsoft Azure, which means you'll need to leverage your Entra ID ...Software for your AGE Computer
Introduction Due to DoD requirements, AGE must restrict users from installing software on AGE-owned computers unless it is approved by AGE. Approved software that you are licensed for can be found in Apps in the Company Portal. If you require ...How to Setup a New AGE Computer
Preface First things first, Microsoft loves to change the Windows first run process so these instructions may not be exactly inline with your experience. Nevertheless, do your best and push forward. The key is to get the device enrolled using your ...Enroll Apple iOS device in BYOD
Introduction As part of our Bring Your Own Device (BYOD) program, AGE supports the use of personal mobile devices (Android and iOS based only) for accessing AGE resources. Personal mobile devices must be enrolled in AGE mobile device management in ...Printing at AGE Headquarters
Introduction It's never been easier to add a printer and get the job done than with Universal Print! It's seamless, simple, and requires NO downloads. This allows users to connect to and use an AGE-configured printer from anywhere with an internet ...