[Problem/Bug]: WebView2 SSO (AllowSingleSignOnUsingOSPrimaryAccount) fails with AADSTS50058 despite valid PRT — Azure AD Conditional Access blocks WebView2 but allows Edge on same machine

[mukeshkamishra-cyber]

What happened?

We have a WPF application using WebView2 to load Outlook webmail (outlook.office.com). SSO via AllowSingleSignOnUsingOSPrimaryAccount = true works for all users except one. On the affected machine, Edge browser auto-logs into the same URL without credentials, but WebView2 fails with AADSTS50058 and ultimately gets redirected to a tenant-specific Conditional Access error page.

Environment
OS: Windows (domain-joined + Azure AD Hybrid Joined)
WebView2 Runtime: 148.0.3967.70
WebView2 SDK: Latest stable
Target URL: https://outlook.office.com/mail/inbox
Tenant: Azure AD with Conditional Access policies enabled
Machine State (dsregcmd /status)
AzureAdJoined : YES
DomainJoined : YES
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2026-05-18 07:14:36.000 UTC
AzureAdPrtExpiryTime : 2026-06-01 07:14:35.000 UTC
CloudTgt : YES
OnPremTgt : YES
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)
KeySignTest : PASSED
DeviceAuthStatus : SUCCESS

WebView2 Configuration

CoreWebView2EnvironmentOptions options = new CoreWebView2EnvironmentOptions()
{
    AdditionalBrowserArguments = "enable-media-stream disable-gpu disable-gpu-compositing enable-begin-frame-scheduling --enable-features=msWebView2EnableProfileSignin,msSingleSignOnOSForPrimaryAccountIsShared",
    AllowSingleSignOnUsingOSPrimaryAccount = true
};

CoreWebView2Environment environment = await CoreWebView2Environment.CreateAsync(
    "", 
    userDataFolder: @"C:\Users\<user>\AppData\Local\<AppName>\cache\wv", 
    options);

Observed Behavior

1. WebView2 navigates to outlook.office.com
2. Outlook's MSAL library attempts silent auth (prompt=none) to login.microsoftonline.com/organizations/oauth2/v2.0/authorize
3. Azure AD returns AADSTS50058: "A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD."
4. Outlook falls back to interactive login (prompt=select_account)
5. User lands on Microsoft login page, selects account
6. login.microsoftonline.com/common/login returns 302 redirect to tenant's custom CA error page

Expected Behavior
WebView2 should inject the PRT into the auth request (same as Edge does), resulting in silent SSO without showing the login page.

Key Evidence

• Edge SSO works on the same machine for the same URL — confirms PRT is valid and CA policy allows Edge
• WebView2 SSO fails — PRT is not being injected into WebView2's requests
• 0 auth cookies at WebView2 initialization — confirms no prior session exists
• CA policy blocks interactive login — even manual login is rejected, redirecting to tenant error page

What We Tried (All Failed)
# Attempt Result

1. AllowSingleSignOnUsingOSPrimaryAccount = true AADSTS50058 — PRT not injected
2. Removed -ignore-certificate-errors flag (was breaking TLS channel binding) Same AADSTS50058
3. Deleted WebView2 user data folder and restarted Same AADSTS50058
4. Verified dsregcmd /status — AzureAdPrt: YES, CloudTgt: YES Machine state is healthy
5. Confirmed Edge SSO works on same machine PRT is functional for Edge

Questions

1. Why does AllowSingleSignOnUsingOSPrimaryAccount = true not inject the PRT when dsregcmd confirms AzureAdPrt: YES and Edge SSO works on the same machine?
2. Is there a difference in how Edge uses the PRT vs how WebView2 uses it? Edge appears to go through WAM broker while 3. WebView2 may use a different code path that the CA policy doesn't recognize.
3. Are there additional Chromium feature flags or WebView2 APIs that can make WebView2's SSO behavior identical to Edge's WAM-based authentication?
4. Is there a way to make WebView2 use the WAM broker (like Edge does) rather than the direct PRT injection path?

Importance

Blocking. My app's basic functions are not working due to this issue.

Runtime Channel

Stable release (WebView2 Runtime)

Runtime Version

148.0.3967.70

SDK Version

1.0.2903.40

Framework

WPF

Operating System

Windows 11

OS Version

No response

Repro steps

Reproduction

• Works for other users on the same Azure AD tenant
• Fails only for this specific user/machine combination
• Edge SSO works on the same machine → rules out PRT/device issues
• Issue is specific to WebView2's PRT injection mechanism being blocked by tenant CA policy
• Additional Context
• The tenant's Conditional Access policy appears to differentiate between Edge (trusted/first-party) and WebView2 (untrusted/third-party app). The CA error page redirect (aadcacustomerror.<tenant>.com) confirms the policy is actively blocking the authentication attempt from WebView2.

Repros in Edge Browser

No, issue does not reproduce in the corresponding Edge version

Regression

No, this never worked

Last working version (if regression)

No response