From 9234a3ede83e9518a42c23b9e338f9ab7c38111c Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 1 May 2023 07:53:35 -0400
Subject: [PATCH] Added shared cart scenario

---
 education/windows/federated-sign-in.md | 73 ++++++++++++++++++++++----
 1 file changed, 64 insertions(+), 9 deletions(-)

diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 326c71ca59..6c8bf036fa 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -1,7 +1,7 @@
 ---
 title: Configure federated sign-in for Windows devices
 description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
-ms.date: 04/11/2023
+ms.date: 05/01/2023
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@@ -41,7 +41,7 @@ To implement federated sign-in, the following prerequisites must be met:
     - [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS
     - PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
     - provisioning tools offered by the IdP
-    
+
     For more information about identity matching, see [Identity matching in Azure AD](#identity-matching-in-azure-ad).
 1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
 1. Enable federated sign-in on the Windows devices
@@ -55,13 +55,19 @@ To use federated sign-in, the devices must have Internet access. This feature wo
 
 ### System requirements
 
-Federated sign-in is supported on the following Windows SKUs and versions:
+Federated sign-in for single user devices is supported on the following Windows editions and versions:
 
 - Windows 11 SE, version 22H2 and later
 - Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1]
 
+Federated sign-in for shared devices is supported starting in Windows 11 SE/Pro Edu/Education, version 22H2 with [KB5026446][KB-2].
+
 ## Configure federated sign-in
 
+You can configure federated sign-in for single user devices or shared devices. The configuration is different for each scenario, and is described in the following sections.
+
+### Configure federated sign-in for single user devices
+
 To use web sign-in with a federated identity provider, your devices must be configured with different policies. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
@@ -72,9 +78,9 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile]
 
 | Setting |
 |--------|
+| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Data type: **String** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
-| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Data type: **String** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
 
 :::image type="content" source="images/federated-sign-in-settings-intune.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-intune.png" border="true":::
@@ -88,14 +94,54 @@ To configure federated sign-in using a provisioning package, use the following s
 
 | Setting |
 |--------|
+| <li> Path: **`Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
 | <li> Path: **`FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Value: **Enabled**</li>|
 | <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
-| <li> Path: **`Policies/Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
 | <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
 
 :::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
 
-Apply the provisioning package to the devices that require federated sign-in.
+Apply the provisioning package to the single-user devices that require federated sign-in.
+
+> [!IMPORTANT]
+> There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
+
+---
+
+### Configure federated sign-in for shared devices
+
+To use web sign-in with a federated identity provider, your devices must be configured with different policies. Follow the instructions below to configure your shared devices using either Microsoft Intune or a provisioning package (PPKG).
+
+#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
+
+To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
+
+[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
+
+| Setting |
+|--------|
+| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
+| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync`** </li><li>Data type: **Boolean** </li><li>Value: **True**</li>|
+| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
+| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Data type: **String** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
+| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Data type: **String** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
+
+[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
+[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
+
+#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
+
+To configure federated sign-in using a provisioning package, use the following settings:
+
+| Setting |
+|--------|
+| <li> Path: **`Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
+| <li> Path: **`SharedPC/EnableSharedPCModeWithOneDriveSync`** </li><li>Value: **True**</li>|
+| <li> Path: **`Policies/Authentication/EnableWebSignIn`** </li><li>Value: **Enabled**</li>|
+| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
+| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
+
+Apply the provisioning package to the shared devices that require federated sign-in.
 
 > [!IMPORTANT]
 > There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
@@ -115,12 +161,19 @@ As the end users enter their username, they'll be redirected to the identity pro
 
 ## Important considerations
 
-Federated sign-in doesn't work on devices that have the following settings enabled:
+Federated sign-in for single user devices doesn't work when have the following settings enabled:
 
-- **EnableSharedPCMode**, which is part of the [SharedPC CSP][WIN-1]
+- **EnableSharedPCMode** or **EnableSharedPCModeWithOneDriveSync**, which are part of the [SharedPC CSP][WIN-1]
 - **Interactive logon: do not display last signed in**, which is a security policy part of the [Policy CSP][WIN-2]
 - **Take a Test**, since it uses the security policy above
 
+### Preferred Azure AD tenant name
+
+To improve the user experience, you can use configure your devices to use *preferred Azure AD tenant name*.\
+When using preferred AAD tenant name, the users will bypass the disambiguation page and will be redirected to the identity provider sign-in page.
+
+For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-3].
+
 ### Identity matching in Azure AD
 
 When an Azure AD user is federated, the user's identity from the IdP must match an existing user object in Azure AD.
@@ -180,6 +233,8 @@ Update-MgUser -UserId alton@example.onmicrosoft.com -UserPrincipalName alton@exa
 [SDS-1]: /schooldatasync
 
 [KB-1]: https://support.microsoft.com/kb/5022913
+[KB-2]: https://support.microsoft.com/kb/5026446
 
 [WIN-1]: /windows/client-management/mdm/sharedpc-csp
-[WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin
\ No newline at end of file
+[WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin
+[WIN-3]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname
\ No newline at end of file