Sep 26 2020
- last edited on
Jan 14 2022
We are looking at introducing Conditional Access policies with Persistent Browser sessions enabled.
Part of this particular access policy is to have it assigned to "All cloud apps". On a side note, we are also using Intune as our device management platform. The conditional access policy will eventually be assigned to all staff (Once UAT completed) - which may seem a little problematic.
We are currently looking into a particular use case in which we wouldn't want to be prompted for MFA and that would be when using Microsoft Intune and Microsoft Intune Enrollment.
i.e. User A attempts to log into Apple Remote Management - fails as unable to pass through any MFA prompts.
Workaround is to have the CA policy take advantage of Trusted locations with the company's external IPs listed. In the current landscape, what happens if the user requires the device to be shipped to them.
What method on top of the persistent browser session CA policy would work?
If we exclude the above two applications, the persistent browser session will share the same state and any exclusions will not be supported, rendering this an invalid session control.
It may very well be something obvious that I have overlooked, but really could use some assistance with this one.
Sep 29 2020 06:30 AM
@vas_ppabp_90 Sorry, not sure what you are trying to achieve here.
Can you summarize your question?
Not sure how to relate persistent browser sessions with MFA and enrollment.
Sep 29 2020 03:21 PM
Its a question about having a conditional access policy targeted to all cloud apps with persistent browsing enabled - how would we deal with excluding applications that we don't have MFA to be prompted for? Additional CA policy? Group Exclusions?
Sep 30 2020 01:26 AM
You can implement your conditional access policy to exclude devices that are compliant in Microsoft Intune so that they are not prompted for MFA in that specific condition.
Another solution is to grant access in the policy and use the OR scenario which means PASS the policy when a user performs MFA prompt or is compliant in Microsoft Endpoint Manager:
Oct 15 2020 02:48 AM
Jun 23 2022 08:18 AM
@vas_ppabp_90 We are also running into this issue: CA policies with persistent browser session and we are trying to implement Intune and auto register devices. Were you ever able to find a solution or workaround? Thanks