Skip to content
Conditional Access, Device Info
Home » Conditional Access Device Info / State

Conditional Access Device Info / State

Conditional Access Policies that query "Device Info" such as the compliance status or a filter do not work natively in all browsers. Since devices that have a compliance status are mostly managed anyway, we can easily distribute these settings via Intune.
In this article, I limit myself to logins via Windows using the Microsoft Edge, Google Chrome and Mozilla Firefox browsers.

Table of Contents

Behavior without additional settings

If a browser is not managed and installed without specific settings, device data such as the compliance status or whether a device is managed cannot be transferred to Conditional Access.

The result in "Conditional Access - Sign-in Log", in the "Device Info" tab is then as follows:

Sign-in, Microsoft Edge, no SSO
Microsoft Edge
Sign in, Google Chrome, no SSO
Google Chrome
Sign-in, Mozilla Firefox, no SSO
Mozilla Firefox

Supported browsers

Conditional Access Policies basically work on all devices and browsers. However, device policies can only be validated on supported systems with the correct settings. If such a rule fails or cannot be evaluated, this corresponds to a rejection.

Microsoft has listed the supported browsers here: Conditions in Conditional Access policy

operating systemsbrowsers
Windows 10+Microsoft Edge, Chrome, Firefox 91+
Windows Server 2022Microsoft Edge, Chrome
Windows Server 2019Microsoft Edge, Chrome
iOSMicrosoft Edge, Safari (see the notes)
AndroidMicrosoft Edge, Chrome
macOSMicrosoft Edge, Chrome, Safari
As of January 2023

Configure browsers with Intune

However, in order to be able to call up the device information for the three desired browsers, a configuration must be made for each browser. Of course, this works best via Intune.
Another advantage of this configuration is that the three browsers also support single sign-on (SSO).

Microsoft Edge

It's easy for you here, if you have installed a current version of the browser (version 85+) and configured the AAD signing, everything already works here.

If you have not yet configured the automatic sign-in, you can do so at:
Devices > Windows > Configuration profiles ... + Create profile (Windows 10 and later, Settings catalog)

Give the policy a meaningful name such as "WIN Edge". If you already have a guideline for, for example, the search engine or "First run experience", you can also put this setting in there.

In the Settings Catalog, look for "Browser sign in" and select the device-based policy under "Microsoft Edge" out.
You then only have to activate it and click "Force users to sign-in to use the browser" set.

Settings catalogue, Edge
Settings catalog, Force users to sign-in to use the browser

As soon as the policy is assigned and applied, the device information is passed with a conditional access login:

Edge sign-in log

Google Chrome

With Google Chrome, the extension "Windows accounts" to be installed.
The extension can be installed manually per user device or much easier via Intune and a Settings Catalog profile. To do this, we first need the extension ID, which we find out by opening the extension in the "Chrome Web Store". Then it can be seen in the URL:

Windows Account Extension ID
Extension ID: ppnbnpeolgkicgegkbkbjmhlideopiji

You create the profile under:
Devices > Windows > Configuration profiles ... + Create profile (Windows 10 and later, Settings catalog)

Here you assign a meaningful name and optionally a description:

Settings catalogue, Google Chrome

In the next step you add the setting "Configure the list of force-installed apps and extensions" added:

Configure the list of force-installed apps and extensions

Activate this option and insert the extension ID: ppnbnpeolgkicgegkbkbjmhlideopiji

Chrome Extension, Microsoft SSO

As soon as the extension is active, Google Chrome will support SSO and the device information can be seen in the conditional access log:

Sign in Log, Google Chrome

Mozilla Firefox

Firefox has supported Single Sign On since version 91.
All you have to do is select the "Allow Windows single sign-on for Microsoft, work, and school accounts" activate. You can do this either manually under "Settings > Privacy & Security > Logins and Passwords" do:

Firefox, Allow Windows single sign-on for Microsoft, work, and school accounts

Or of course centrally via Intune. There are two ways, either via OMA-Uri or via ADMX import.
The way via ADMX import is definitely visually nicer and the guideline is presented more beautifully.

Firefox policy with the ADMX templates

Intune allows us to import classic ADMX templates.
You can find the template files here: mozilla/policy-templates (github.com)

And you can import them at:
Devices > Configuration profiles > Import ADMX … + Import

First we upload the Mozilla ADMX and ADML file here.
It is important that you use the ADML files in each case en-US version use.

Mozilla ADMX Upload

Once this is uploaded you can also upload the Firefox ADMX and ADML:

Firefox ADMX Upload

Finally you will see both packages as a template in the overview.

Mozilla Firefox ADMX Templates Intune

If you have problems uploading, you can find a great troubleshooting guide by Rudy here: Troubleshoot import errors when uloading the ADMX to Intune (call4cloud.nl)

Now you can create the policy:
Devices > Windows > Configuration profiles ... + Create profile (Windows 10 and later, Templates, Imported Administrative template profile)

The easiest way to do this is to search for SSO and select "Windows SSO".

Intune, Firefox SSO

You then assign the policy to a group and after successful application, Firefox supports SSO and forwards the device information for conditional access.

Conditional Access Log Firefox

Firefox policy via OMA-Uri

In order to be able to set the setting via OMA-Uri, you must import the ADMX files (also via OMA-Uri) if you have not already done so. Peter has created a wonderful guide for this: Manage Mozilla Firefox settings with Microsoft Intune | Peter Klapwijk - In The Cloud 24-7 (inthecloud247.com)

For these we create a "custom" profile:
Devices > Windows > Configuration profiles... + Create profile (Windows 10 and later, Custom)

As usual, we give the profile a meaningful name.
As OMA-Uri we add the following:

NameFirefox SSO
DescriptionWindows SSO Support for Firefox
ORA Uri./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/WindowsSSO
Data typeString
Value

After the application, the login looks identical to that of the ADMX templates.

Sign-in Log, Mozilla Firefox

recap

With the right settings, you can offer users single sign-on (SSO) and also benefit from more features with conditional access. Although these settings can be made relatively quickly, they must not be forgotten, otherwise problems may arise with some conditional access rules that query the "Device Info".

1 thought on “Conditional Access Device Info / State”

Leave a Reply

Your email address will not be published. Required fields are marked *