Forum Discussion

Pontus T's avatar
Pontus T
Iron Contributor
Jul 22, 2020
Solved

Azure AD conditional access for Edge profile sign in

Hi Insiders! I hope this is the right channel for posting.   I cannot find details on how to configure an Azure AD conditional access policy (or something else) that prevents users from signing in ...
  • Pontus T's avatar
    Pontus T
    Jul 22, 2020

    Sorry guys, I was a bit trigger happy with reaching out to the community! I have found the fix myself.

     

    What I had missed was that the "Browser" option under "Client apps (preview)" was not sufficient as it does not include Modern Auth. When I added "Desktop and client apps" > "Modern authentication clients", the conditional access worked as expected.

     

    So to prevent malicious sign-ins, as well as users from accessing their corporate Edge accounts on personal devices, the below policy settings will work. Tested on Windows 10, MacOS Catalina and iOS:

     

    Users and groups = select as needed (make they all have AAD P1 to comply with license requirements)

    Cloud apps or actions = "All cloud apps"

    • If someone know which cloud app is used for the Edge condition, please let me know. I have tried to do AIP only as it is used for sync but that doesn't work. The audit log refers to "Microsoft Activity Feed Service" and "Microsoft Graph" as the "Resource", but they are not available to select in the condition. "All cloud apps" that might not work for some organisations.

    Conditions > Client apps (Preview) = Select "Browser" and "Mobile apps and desktop clients" > "Modern authentication clients" (recommended to also select the other ones for non-modern auth protection).

    Grant = "Grant access" > "Require Hybrid Azure AD joined device"

     
    Hope this can help other lost souls! Thanks
JasonRUK's avatar
JasonRUK
Copper Contributor
Aug 02, 2022
Hi,
Think I've cracked this one for you - if you scope the CA policy to
"Common Data Service
00000007-0000-0000-c000-000000000000"

Then Edge logins from personal devices are being blocked.
I have a policy scoped to a single user and this single application with a requirement to be domain joined. I am not able to log into Edge, but I can still log into 365 via a browser session.
  • Hap's avatar
    Hap
    Brass Contributor
    Dec 05, 2022
    That is pretty cool, but how about the other way around. We want a compliant device for all access, except for Edge sync. I'm hesitant to exclude "Common Data Service 00000007-0000-0000-c000-000000000000" from the policy that has the device compliancy grant, as this cloud app seems very generic and is probably used for more than just Edge sync functionality?
    • Johannes Goerlich's avatar
      Johannes Goerlich
      Brass Contributor
      Apr 29, 2024
      Hi all,
      it seems this gap can now also be closed by leveraging the https://learn.microsoft.com/en-us/deployedge/microsoft-edge-management-service which allows to configure Microsoft Edge browser settings depending on the Microsoft Entra group of the signed-in work account and not based on whether the device is managed or not.
      I couldn't look into this in detail but maybe there is the possibility to disable sync of passwords, credit cards, addresses etc.
      Kelly_Y do you know whether this is feasible?
      • Kelly_Y's avatar
        Kelly_Y
        Icon for Microsoft rankMicrosoft
        May 01, 2024

        Johannes Goerlich Hi - I just reached out to the team and they do think it is possible.  

         

        Here is a screenshot of our documentation which explains what happens when a user is logged in.  

        Microsoft Edge management service | Microsoft Learn

        You can configure those settings in a configuration profile using the Edge management service. Thanks! 

         

        -Kelly

         

Resources