Home

AAD conditional access - unexpected behavior with "Require approved client app" control

%3CLINGO-SUB%20id%3D%22lingo-sub-332073%22%20slang%3D%22en-US%22%3EAAD%20conditional%20access%20-%20unexpected%20behavior%20with%20%22Require%20approved%20client%20app%22%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332073%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20post%20here%20so%20apology%20if%20anything%20missing%20or%20this%20has%20already%20been%20asked.%20Recently%20I've%20been%20testing%20AAD%20conditional%20access%20and%20found%20an%20unexpected%20behavior%20when%20using%20%22Require%20approved%20client%20app%22%20with%20a%20desktop%20browser.%20According%20to%20Microsoft%20this%20control%20only%20supports%20the%20iOS%20and%20Android%20for%20device%20platform%20condition%20(Ref%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Ftechnical-reference%23approved-client-app-requirement%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Ftechnical-reference%23approved-client-app-requirement%3C%2FA%3E).%20Seems%20however%20when%20enabled%20with%20a%20target%20client%20app%3A%20Browser%2C%20it%20then%20blocks%20any%20desktop%20browser%20from%20accessing%20OWA.%20Here%20is%20more%20info%20about%20my%20setup%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUser%20assigned%20license%3A%20O365%20Ent%20E3%20%2B%20EMS%20E3%3CBR%20%2F%3EOS%3A%20Windows%2010%20Pro%201809%3C%2FP%3E%3CP%3EBrowser%3A%20latest%20versions%20of%20Edge%2C%20Chrome%20and%20Firefox%3CBR%20%2F%3EIP%20address%20is%20part%20of%20a%20trusted%20IP%20range%20list.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConditional%20access%20policy%3A%3CBR%20%2F%3EUsers%20and%20groups%3A%20A%20security%20group%20with%20user%20member%20of%20same%20group.%3CBR%20%2F%3ECloud%20apps%3A%20Office%20365%20Exchange%20Online%3CBR%20%2F%3EDevice%20platform%3A%20Windows%2FmacOS.%3CBR%20%2F%3ELocations%3A%20All%20trusted.%3CBR%20%2F%3EClient%20apps%3A%20Browser.%3CBR%20%2F%3EDevice%20state%3A%20Not%20configured.%3CBR%20%2F%3EGrant%3A%20Require%20approved%20client%20app.%3CBR%20%2F%3ESession%3A%200%20controls%20selected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20try%20and%20login%20to%20OWA%20I%20get%20the%20error%20in%20the%20attached%20screenshot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20seen%20this%20behavior%20and%20is%20it%20to%20be%20expected%3F%20I%20thought%20since%20Microsoft%20Edge%20is%20in%20the%20approved%20client%20app%20list%20it%20should%20at%20least%20allow%20access.%20Or%20maybe%20this%20is%20only%20for%20the%20mobile%20version%3F%20Regardless%20if%20this%20control%20only%20works%20on%20iOS%2FAndroid%20it%20probably%20shouldn't%20be%20blocking%20app%20on%20other%20device%20platforms.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInterested%20to%20hear%20your%20experience%20and%20thoughts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpdate%3A%20Did%20some%20further%20testing%20with%20iOS%20mobile%20browsers%20and%20below%20are%20the%20results%3A%3C%2FP%3E%3CP%3E-%20Safari%20%3D%20no%20access%3C%2FP%3E%3CP%3E-%20Edge%20%3D%20no%20access%3C%2FP%3E%3CP%3E-%20Intune%20Managed%20Browser%20%3D%20access%20working%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-332073%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-332156%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20conditional%20access%20-%20unexpected%20behavior%20with%20%22Require%20approved%20client%20app%22%20contro%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332156%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vasil%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20reply.%20The%20list%20with%20approved%20clients%20apps%20published%20by%20Microsoft%20contains%20Microsoft%20Edge.%20If%20this%20list%20is%20correct%20then%20it's%20strange%20why%20Edge%20is%20being%20blocked%20on%20both%20desktop%20and%20mobile%20by%20the%20conditional%20access%20policy.%20It%20should%20at%20least%20work%20on%20mobile.%20Support%20probably%20best%20to%20confirm%20but%20I%20thought%20of%20checking%20with%20the%20community%20if%20they%20have%20seen%20similar%20behavior.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-332147%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20conditional%20access%20-%20unexpected%20behavior%20with%20%22Require%20approved%20client%20app%22%20contro%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332147%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20since%20you%20have%20a%20%22require%22%20control%20configured%2C%20and%20you%20are%20not%20meeting%20the%20requirement%20(it%20does%20only%20apply%20for%20mobiles%20afaik)%2C%20blocking%20access%20it%20the%20expected%20behavior.%20You%20can%20always%20confirm%20this%20with%20the%20support%20folks.%3C%2FP%3E%3C%2FLINGO-BODY%3E
IloDar
New Contributor

Hi all,

 

First post here so apology if anything missing or this has already been asked. Recently I've been testing AAD conditional access and found an unexpected behavior when using "Require approved client app" with a desktop browser. According to Microsoft this control only supports the iOS and Android for device platform condition (Ref: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference#appro...). Seems however when enabled with a target client app: Browser, it then blocks any desktop browser from accessing OWA. Here is more info about my setup:

 

User assigned license: O365 Ent E3 + EMS E3
OS: Windows 10 Pro 1809

Browser: latest versions of Edge, Chrome and Firefox
IP address is part of a trusted IP range list.

 

Conditional access policy:
Users and groups: A security group with user member of same group.
Cloud apps: Office 365 Exchange Online
Device platform: Windows/macOS.
Locations: All trusted.
Client apps: Browser.
Device state: Not configured.
Grant: Require approved client app.
Session: 0 controls selected.

 

When I try and login to OWA I get the error in the attached screenshot.

 

Has anyone seen this behavior and is it to be expected? I thought since Microsoft Edge is in the approved client app list it should at least allow access. Or maybe this is only for the mobile version? Regardless if this control only works on iOS/Android it probably shouldn't be blocking app on other device platforms.

 

Interested to hear your experience and thoughts.

 

Update: Did some further testing with iOS mobile browsers and below are the results:

- Safari = no access

- Edge = no access

- Intune Managed Browser = access working

2 Replies

Well since you have a "require" control configured, and you are not meeting the requirement (it does only apply for mobiles afaik), blocking access it the expected behavior. You can always confirm this with the support folks.

Hi Vasil,

 

Thank you for your reply. The list with approved clients apps published by Microsoft contains Microsoft Edge. If this list is correct then it's strange why Edge is being blocked on both desktop and mobile by the conditional access policy. It should at least work on mobile. Support probably best to confirm but I thought of checking with the community if they have seen similar behavior.

 

Thanks.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies