First post here so apology if anything missing or this has already been asked. Recently I've been testing AAD conditional access and found an unexpected behavior when using "Require approved client app" with a desktop browser. According to Microsoft this control only supports the iOS and Android for device platform condition (Ref: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference#appro...). Seems however when enabled with a target client app: Browser, it then blocks any desktop browser from accessing OWA. Here is more info about my setup:
User assigned license: O365 Ent E3 + EMS E3 OS: Windows 10 Pro 1809
Browser: latest versions of Edge, Chrome and Firefox IP address is part of a trusted IP range list.
Conditional access policy: Users and groups: A security group with user member of same group. Cloud apps: Office 365 Exchange Online Device platform: Windows/macOS. Locations: All trusted. Client apps: Browser. Device state: Not configured. Grant: Require approved client app. Session: 0 controls selected.
When I try and login to OWA I get the error in the attached screenshot.
Has anyone seen this behavior and is it to be expected? I thought since Microsoft Edge is in the approved client app list it should at least allow access. Or maybe this is only for the mobile version? Regardless if this control only works on iOS/Android it probably shouldn't be blocking app on other device platforms.
Interested to hear your experience and thoughts.
Update: Did some further testing with iOS mobile browsers and below are the results:
Well since you have a "require" control configured, and you are not meeting the requirement (it does only apply for mobiles afaik), blocking access it the expected behavior. You can always confirm this with the support folks.
Thank you for your reply. The list with approved clients apps published by Microsoft contains Microsoft Edge. If this list is correct then it's strange why Edge is being blocked on both desktop and mobile by the conditional access policy. It should at least work on mobile. Support probably best to confirm but I thought of checking with the community if they have seen similar behavior.