Conditional Access Policies that query "Device Info" such as the compliance status or a filter do not work natively in all browsers. Since devices that have a compliance status are mostly managed anyway, we can easily distribute these settings via Intune.
In this article, I limit myself to logins via Windows using the Microsoft Edge, Google Chrome and Mozilla Firefox browsers.
Table of Contents
Behavior without additional settings
If a browser is not managed and installed without specific settings, device data such as the compliance status or whether a device is managed cannot be transferred to Conditional Access.
The result in "Conditional Access - Sign-in Log", in the "Device Info" tab is then as follows:
Supported browsers
Conditional Access Policies basically work on all devices and browsers. However, device policies can only be validated on supported systems with the correct settings. If such a rule fails or cannot be evaluated, this corresponds to a rejection.
Microsoft has listed the supported browsers here: Conditions in Conditional Access policy
Operating Systems | Browsers |
---|---|
Windows 10 + | Microsoft Edge, Chrome, Firefox 91+ |
Windows Server 2022 | Microsoft Edge, Chrome |
Windows Server 2019 | Microsoft Edge, Chrome |
iOS | Microsoft Edge, Safari (see the notes) |
Android | Microsoft Edge, Chrome |
macOS | Microsoft Edge, Chrome, Safari |
Configure browsers with Intune
However, in order to be able to call up the device information for the three desired browsers, a configuration must be made for each browser. Of course, this works best via Intune.
Another advantage of this configuration is that the three browsers also support single sign-on (SSO).
Microsoft Edge
It's easy for you here, if you have installed a current version of the browser (version 85+) and configured the AAD signing, everything already works here.
If you have not yet configured the automatic sign-in, you can do so at:
Devices > Windows > Configuration profiles ... + Create profile (Windows 10 and later, Settings catalog)
Give the policy a meaningful name such as "WIN Edge". If you already have a guideline for, for example, the search engine or "First run experience", you can also put this setting in there.
In the Settings Catalog, look for "Browser sign in" and select the device-based policy under "Microsoft Edge" out.
You then only have to activate it and click "Force users to sign-in to use the browser" set.
As soon as the policy is assigned and applied, the device information is passed with a conditional access login:
Google Chrome
With Google Chrome, the extension "Windows accounts" to be installed.
The extension can be installed manually per user device or much easier via Intune and a Settings Catalog profile. To do this, we first need the extension ID, which we find out by opening the extension in the "Chrome Web Store". Then it can be seen in the URL:
You create the profile under:
Devices > Windows > Configuration profiles ... + Create profile (Windows 10 and later, Settings catalog)
Here you assign a meaningful name and optionally a description:
In the next step you add the setting "Configure the list of force-installed apps and extensions" added:
Activate this option and insert the extension ID: ppnbnpeolgkicgegkbkbjmhlideopiji
As soon as the extension is active, Google Chrome will support SSO and the device information can be seen in the conditional access log:
Mozilla Firefox
Firefox has supported Single Sign On since version 91.
All you have to do is select the "Allow Windows single sign-on for Microsoft, work, and school accounts" activate. You can do this either manually under "Settings > Privacy & Security > Logins and Passwords" do:
Or of course centrally via Intune. There are two ways, either via OMA-Uri or via ADMX import.
The way via ADMX import is definitely visually nicer and the guideline is presented more beautifully.
Firefox policy with the ADMX templates
Intune allows us to import classic ADMX templates.
You can find the template files here: mozilla/policy-templates (github.com)
And you can import them at:
Devices > Configuration profiles > Import ADMX … + Import
First we upload the Mozilla ADMX and ADML file here.
It is important that you use the ADML files in each case en-US version use.
Once this is uploaded you can also upload the Firefox ADMX and ADML:
Finally you will see both packages as a template in the overview.
If you have problems uploading, you can find a great troubleshooting guide by Rudy here: Troubleshoot import errors when uloading the ADMX to Intune (call4cloud.nl)
Now you can create the policy:
Devices > Windows > Configuration profiles ... + Create profile (Windows 10 and later, Templates, Imported Administrative template profile)
The easiest way to do this is to search for SSO and select "Windows SSO".
You then assign the policy to a group and after successful application, Firefox supports SSO and forwards the device information for conditional access.
Firefox policy via OMA-Uri
In order to be able to set the setting via OMA-Uri, you must import the ADMX files (also via OMA-Uri) if you have not already done so. Peter has created a wonderful guide for this: Manage Mozilla Firefox settings with Microsoft Intune | Peter Klapwijk - In The Cloud 24-7 (inthecloud247.com)
For these we create a "custom" profile:
Devices > Windows > Configuration profiles... + Create profile (Windows 10 and later, Custom)
As usual, we give the profile a meaningful name.
As OMA-Uri we add the following:
Name | Firefox SSO |
Beschreibung | Windows SSO Support for Firefox |
ORA-Uri | ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/WindowsSSO |
Data type | String |
Value | <enabled/> |
After the application, the login looks identical to that of the ADMX templates.
Recap
With the right settings, you can offer users single sign-on (SSO) and also benefit from more features with conditional access. Although these settings can be made relatively quickly, they must not be forgotten, otherwise problems may arise with some conditional access rules that query the "Device Info".
This is great! Thanks for taking the time to write it up. Much appreciated.
Nice and simple well done thanks