Forum Discussion
Azure AD conditional access for Edge profile sign in
Sorry guys, I was a bit trigger happy with reaching out to the community! I have found the fix myself.
What I had missed was that the "Browser" option under "Client apps (preview)" was not sufficient as it does not include Modern Auth. When I added "Desktop and client apps" > "Modern authentication clients", the conditional access worked as expected.
So to prevent malicious sign-ins, as well as users from accessing their corporate Edge accounts on personal devices, the below policy settings will work. Tested on Windows 10, MacOS Catalina and iOS:
Users and groups = select as needed (make they all have AAD P1 to comply with license requirements)
Cloud apps or actions = "All cloud apps"
- If someone know which cloud app is used for the Edge condition, please let me know. I have tried to do AIP only as it is used for sync but that doesn't work. The audit log refers to "Microsoft Activity Feed Service" and "Microsoft Graph" as the "Resource", but they are not available to select in the condition. "All cloud apps" that might not work for some organisations.
Conditions > Client apps (Preview) = Select "Browser" and "Mobile apps and desktop clients" > "Modern authentication clients" (recommended to also select the other ones for non-modern auth protection).
Grant = "Grant access" > "Require Hybrid Azure AD joined device"
Hope this can help other lost souls! Thanks
Sorry guys, I was a bit trigger happy with reaching out to the community! I have found the fix myself.
What I had missed was that the "Browser" option under "Client apps (preview)" was not sufficient as it does not include Modern Auth. When I added "Desktop and client apps" > "Modern authentication clients", the conditional access worked as expected.
So to prevent malicious sign-ins, as well as users from accessing their corporate Edge accounts on personal devices, the below policy settings will work. Tested on Windows 10, MacOS Catalina and iOS:
Users and groups = select as needed (make they all have AAD P1 to comply with license requirements)
Cloud apps or actions = "All cloud apps"
- If someone know which cloud app is used for the Edge condition, please let me know. I have tried to do AIP only as it is used for sync but that doesn't work. The audit log refers to "Microsoft Activity Feed Service" and "Microsoft Graph" as the "Resource", but they are not available to select in the condition. "All cloud apps" that might not work for some organisations.
Conditions > Client apps (Preview) = Select "Browser" and "Mobile apps and desktop clients" > "Modern authentication clients" (recommended to also select the other ones for non-modern auth protection).
Grant = "Grant access" > "Require Hybrid Azure AD joined device"
Pontus T This is great however this will block all acess to O365/Azure from unmanaged devices.
In a BYOD scenario, for instance for Sharepoint online, users will not be able to acess anything shared with them, unless you force users to register their devices within your organization.
if they have the devices already being managed by other orgs you will not be able to do it.Pontus T We had the same requirement. I see you can select Office 365 discretely to include/exclude. Did you ever narrow this down from "all cloud apps"?
