Conditional Access Device Info / State

Conditional Access Policies that query "Device Info" such as the compliance status or a filter do not work natively in all browsers. Since devices that have a compliance status are mostly managed anyway, we can easily distribute these settings via Intune.
In this article, I limit myself to logins via Windows using the Microsoft Edge, Google Chrome and Mozilla Firefox browsers.

Table of Contents

• Behavior without additional settings
• Supported browsers
• Configure browsers with Intune
  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox
• Recap

Behavior without additional settings

If a browser is not managed and installed without specific settings, device data such as the compliance status or whether a device is managed cannot be transferred to Conditional Access.

The result in "Conditional Access - Sign-in Log", in the "Device Info" tab is then as follows:

Supported browsers

Conditional Access Policies basically work on all devices and browsers. However, device policies can only be validated on supported systems with the correct settings. If such a rule fails or cannot be evaluated, this corresponds to a rejection.

Microsoft has listed the supported browsers here: Conditions in Conditional Access policy

Configure browsers with Intune

However, in order to be able to call up the device information for the three desired browsers, a configuration must be made for each browser. Of course, this works best via Intune.
Another advantage of this configuration is that the three browsers also support single sign-on (SSO).

Microsoft Edge

It's easy for you here, if you have installed a current version of the browser (version 85+) and configured the AAD signing, everything already works here.

If you have not yet configured the automatic sign-in, you can do so at:
Devices > Windows > Configuration profiles ... + Create profile (Windows 10 and later, Settings catalog)

Give the policy a meaningful name such as "WIN Edge". If you already have a guideline for, for example, the search engine or "First run experience", you can also put this setting in there.

In the Settings Catalog, look for "Browser sign in" and select the device-based policy under "Microsoft Edge" out.
You then only have to activate it and click "Force users to sign-in to use the browser" set.

As soon as the policy is assigned and applied, the device information is passed with a conditional access login:

Google Chrome

With Google Chrome, the extension "Windows accounts" to be installed.
The extension can be installed manually per user device or much easier via Intune and a Settings Catalog profile. To do this, we first need the extension ID, which we find out by opening the extension in the "Chrome Web Store". Then it can be seen in the URL:

You create the profile under:
Devices > Windows > Configuration profiles ... + Create profile (Windows 10 and later, Settings catalog)

Here you assign a meaningful name and optionally a description:

In the next step you add the setting "Configure the list of force-installed apps and extensions" added:

Activate this option and insert the extension ID: ppnbnpeolgkicgegkbkbjmhlideopiji

As soon as the extension is active, Google Chrome will support SSO and the device information can be seen in the conditional access log:

Mozilla Firefox

Firefox has supported Single Sign On since version 91.
All you have to do is select the "Allow Windows single sign-on for Microsoft, work, and school accounts" activate. You can do this either manually under "Settings > Privacy & Security > Logins and Passwords" do:

Or of course centrally via Intune. There are two ways, either via OMA-Uri or via ADMX import.
The way via ADMX import is definitely visually nicer and the guideline is presented more beautifully.

Firefox policy with the ADMX templates

Intune allows us to import classic ADMX templates.
You can find the template files here: mozilla/policy-templates (github.com)

And you can import them at:
Devices > Configuration profiles > Import ADMX … + Import

First we upload the Mozilla ADMX and ADML file here.
It is important that you use the ADML files in each case en-US version use.

Once this is uploaded you can also upload the Firefox ADMX and ADML:

Finally you will see both packages as a template in the overview.

If you have problems uploading, you can find a great troubleshooting guide by Rudy here: Troubleshoot import errors when uloading the ADMX to Intune (call4cloud.nl)

Now you can create the policy:
Devices > Windows > Configuration profiles ... + Create profile (Windows 10 and later, Templates, Imported Administrative template profile)

The easiest way to do this is to search for SSO and select "Windows SSO".

You then assign the policy to a group and after successful application, Firefox supports SSO and forwards the device information for conditional access.

Firefox policy via OMA-Uri

In order to be able to set the setting via OMA-Uri, you must import the ADMX files (also via OMA-Uri) if you have not already done so. Peter has created a wonderful guide for this: Manage Mozilla Firefox settings with Microsoft Intune | Peter Klapwijk - In The Cloud 24-7 (inthecloud247.com)

For these we create a "custom" profile:
Devices > Windows > Configuration profiles... + Create profile (Windows 10 and later, Custom)

As usual, we give the profile a meaningful name.
As OMA-Uri we add the following:

After the application, the login looks identical to that of the ADMX templates.

Recap

With the right settings, you can offer users single sign-on (SSO) and also benefit from more features with conditional access. Although these settings can be made relatively quickly, they must not be forgotten, otherwise problems may arise with some conditional access rules that query the "Device Info".