Windows 11 Gets Policy to Automatically Grant SSO Permissions

In a significant move to enhance the user experience for IT administrators, Microsoft has introduced a new policy aimed at simplifying the Windows sign-in process. This initiative allows for the automatic approval of Single Sign-On (SSO) permissions on eligible managed devices, effectively streamlining access to Microsoft applications and services. This feature will be available with the upcoming July 2026 security update for Windows 11 versions 24H2 and 25H2.

Recent regulatory changes within the European Economic Area (EEA) have necessitated that Windows users explicitly consent to the use of their sign-in credentials for accessing various Microsoft services. As a result, users have been encountering prompts requesting consent rather than enjoying seamless automatic sign-ins. In response to feedback from enterprise customers, Microsoft has sought to alleviate this inconvenience by providing a more efficient solution for managed devices, where organizations already enforce authentication policies.

How does the registry setting work?

With the introduction of this feature, IT administrators can leverage a specific registry setting to automatically grant SSO permissions for eligible managed devices. This adjustment allows users to access Microsoft applications and services using their existing Windows credentials, all while bypassing additional consent prompts.

Registry Path: HKLMSOFTWAREPoliciesMicrosoftWindowsAAD
Value: AutoAcceptSsoPermission (DWORD) = 1

Microsoft elaborated on the rationale behind this development, stating, “For managed enterprise environments, some organizations wanted additional flexibility to manage the SSO prompt experience on devices where their organizations already manage sign-in policies and trust relationships. To support those scenarios, we’ve developed a registry-based control that lets IT administrators automatically accept SSO permissions on eligible managed Windows devices.”

Registry setting (Image Credit: Microsoft)

How can organizations enable the new Windows 11 SSO feature?

To activate this new SSO feature, administrators must configure the policy through the Windows registry under the Microsoft Entra ID settings. This can be accomplished using various enterprise management tools, including Group Policy, Microsoft Intune, Configuration Manager, or any other solutions that support registry deployment.

This feature is tailored specifically for managed enterprise devices linked to Microsoft Entra ID and does not impact personal Microsoft accounts or unmanaged devices, which will continue to display consent prompts. It is essential for organizations to ensure their devices are operating on Windows 11 versions 24H2 or 25H2 and have installed the July 2026 security update. Once the update is successfully implemented, IT administrators can deploy the necessary registry policy through their chosen management platform and verify the configuration to ensure that the Single Sign-On experience functions as intended across all managed devices.

Winsage
Windows 11 Gets Policy to Automatically Grant SSO Permissions