cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure AD conditional access for Edge profile sign in

Pontus T
Iron Contributor

‎Jul 22 2020 06:47 AM - edited ‎Jul 22 2020 07:08 AM

‎Jul 22 2020 06:47 AM - edited ‎Jul 22 2020 07:08 AM

Azure AD conditional access for Edge profile sign in

Hi Insiders! I hope this is the right channel for posting.

 

I cannot find details on how to configure an Azure AD conditional access policy (or something else) that prevents users from signing in to Edge (profile), using their corporate accounts, from unmanaged devices. Do you happen to know how to configure this?

 

I expect Edge conditional access to be available as it is a no-brainer. With new Edge, an account compromise has a lot higher impact as it will grant access to password manager, credit card details and form fills saved to the cloud profile, rather than the Windows credential manager (which was the case with legacy Edge). Not really sure why Microsoft is not communicating this new major risk factor unless I have missed something.

 

Without a way of blocking, a malicious actor can simply sign in to a compromised account from a random device's Edge client, and get access to all the saved passwords, history, favourites, credit cards, etc. This also often includes user's personal credentials and details that they save when prompted.

 

Setting a AAD conditional access policy that has "all cloud apps" selected, as well as all options under "client apps", with the condition to "Grant" access, but "Require Azure AD Joined device", does not block sign in to Edge from a personal device. I guess that Edge is not seen as a "cloud app", but at the same time, the sign in is to a cloud profile, and the sync is connected with AIP, which in turn is part of cloud apps.

 

I am currently stopping the sync in the pilot deployment using MEM policy. This helps somewhat, but blocking sync is not possible on the iOS app as far as I know. So passwords saved via mobile can still be compromised. In addition, I want to use sync to make the PC/mobile experience seamless. But activating sync is a huge risk unless I can block sign in completely as needed.

 

Hope I have just missed something as I would not expect any enterprise or security conscious customers to implement Edge without this in place.

 

Thank you for your help!

13.9K Views
0 Likes
5 Replies
Reply
5 Replies
best response confirmed by Pontus T (Iron Contributor)
Pontus T

‎Jul 22 2020 08:25 AM - edited ‎Jul 22 2020 08:27 AM

‎Jul 22 2020 08:25 AM - edited ‎Jul 22 2020 08:27 AM

Solution

Re: Azure AD conditional access for Edge profile sign in

Sorry guys, I was a bit trigger happy with reaching out to the community! I have found the fix myself.

 

What I had missed was that the "Browser" option under "Client apps (preview)" was not sufficient as it does not include Modern Auth. When I added "Desktop and client apps" > "Modern authentication clients", the conditional access worked as expected.

 

So to prevent malicious sign-ins, as well as users from accessing their corporate Edge accounts on personal devices, the below policy settings will work. Tested on Windows 10, MacOS Catalina and iOS:

 

Users and groups = select as needed (make they all have AAD P1 to comply with license requirements)

Cloud apps or actions = "All cloud apps"

  • If someone know which cloud app is used for the Edge condition, please let me know. I have tried to do AIP only as it is used for sync but that doesn't work. The audit log refers to "Microsoft Activity Feed Service" and "Microsoft Graph" as the "Resource", but they are not available to select in the condition. "All cloud apps" that might not work for some organisations.

Conditions > Client apps (Preview) = Select "Browser" and "Mobile apps and desktop clients" > "Modern authentication clients" (recommended to also select the other ones for non-modern auth protection).

Grant = "Grant access" > "Require Hybrid Azure AD joined device"

 
Hope this can help other lost souls! Thanks
2 Likes
Reply
RafaelVieira80

‎Nov 06 2020 03:33 AM

‎Nov 06 2020 03:33 AM

Re: Azure AD conditional access for Edge profile sign in

@Pontus T This is great however this will block all acess to O365/Azure from unmanaged devices.

In a BYOD scenario, for instance for Sharepoint online, users will not be able to acess anything shared with them, unless you force users to register their devices within your organization.
if they have the devices already being managed by other orgs you will not be able to do it.

1 Like
Reply
JPCunningham

‎Dec 04 2020 06:58 AM

‎Dec 04 2020 06:58 AM

Re: Azure AD conditional access for Edge profile sign in

@Pontus T We had the same requirement.  I see you can select Office 365 discretely to include/exclude.  Did you ever narrow this down from "all cloud apps"?

0 Likes
Reply
JasonRUK

‎Aug 02 2022 02:41 AM

‎Aug 02 2022 02:41 AM

Re: Azure AD conditional access for Edge profile sign in

Hi,
Think I've cracked this one for you - if you scope the CA policy to
"Common Data Service
00000007-0000-0000-c000-000000000000"

Then Edge logins from personal devices are being blocked.
I have a policy scoped to a single user and this single application with a requirement to be domain joined. I am not able to log into Edge, but I can still log into 365 via a browser session.
0 Likes
Reply
Hap

‎Dec 05 2022 07:03 AM

‎Dec 05 2022 07:03 AM

Re: Azure AD conditional access for Edge profile sign in

That is pretty cool, but how about the other way around. We want a compliant device for all access, except for Edge sync. I'm hesitant to exclude "Common Data Service 00000007-0000-0000-c000-000000000000" from the policy that has the device compliancy grant, as this cloud app seems very generic and is probably used for more than just Edge sync functionality?
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Pontus T (Iron Contributor)
Pontus T

‎Jul 22 2020 08:25 AM - edited ‎Jul 22 2020 08:27 AM

‎Jul 22 2020 08:25 AM - edited ‎Jul 22 2020 08:27 AM

Solution

Re: Azure AD conditional access for Edge profile sign in

Sorry guys, I was a bit trigger happy with reaching out to the community! I have found the fix myself.

 

What I had missed was that the "Browser" option under "Client apps (preview)" was not sufficient as it does not include Modern Auth. When I added "Desktop and client apps" > "Modern authentication clients", the conditional access worked as expected.

 

So to prevent malicious sign-ins, as well as users from accessing their corporate Edge accounts on personal devices, the below policy settings will work. Tested on Windows 10, MacOS Catalina and iOS:

 

Users and groups = select as needed (make they all have AAD P1 to comply with license requirements)

Cloud apps or actions = "All cloud apps"

  • If someone know which cloud app is used for the Edge condition, please let me know. I have tried to do AIP only as it is used for sync but that doesn't work. The audit log refers to "Microsoft Activity Feed Service" and "Microsoft Graph" as the "Resource", but they are not available to select in the condition. "All cloud apps" that might not work for some organisations.

Conditions > Client apps (Preview) = Select "Browser" and "Mobile apps and desktop clients" > "Modern authentication clients" (recommended to also select the other ones for non-modern auth protection).

Grant = "Grant access" > "Require Hybrid Azure AD joined device"

 
Hope this can help other lost souls! Thanks

View solution in original post

2 Likes
Reply