Jul 22 2020 06:47 AM - edited Jul 22 2020 07:08 AM
Hi Insiders! I hope this is the right channel for posting.
I cannot find details on how to configure an Azure AD conditional access policy (or something else) that prevents users from signing in to Edge (profile), using their corporate accounts, from unmanaged devices. Do you happen to know how to configure this?
I expect Edge conditional access to be available as it is a no-brainer. With new Edge, an account compromise has a lot higher impact as it will grant access to password manager, credit card details and form fills saved to the cloud profile, rather than the Windows credential manager (which was the case with legacy Edge). Not really sure why Microsoft is not communicating this new major risk factor unless I have missed something.
Without a way of blocking, a malicious actor can simply sign in to a compromised account from a random device's Edge client, and get access to all the saved passwords, history, favourites, credit cards, etc. This also often includes user's personal credentials and details that they save when prompted.
Setting a AAD conditional access policy that has "all cloud apps" selected, as well as all options under "client apps", with the condition to "Grant" access, but "Require Azure AD Joined device", does not block sign in to Edge from a personal device. I guess that Edge is not seen as a "cloud app", but at the same time, the sign in is to a cloud profile, and the sync is connected with AIP, which in turn is part of cloud apps.
I am currently stopping the sync in the pilot deployment using MEM policy. This helps somewhat, but blocking sync is not possible on the iOS app as far as I know. So passwords saved via mobile can still be compromised. In addition, I want to use sync to make the PC/mobile experience seamless. But activating sync is a huge risk unless I can block sign in completely as needed.
Hope I have just missed something as I would not expect any enterprise or security conscious customers to implement Edge without this in place.
Thank you for your help!
Jul 22 2020 08:25 AM - edited Jul 22 2020 08:27 AM
SolutionSorry guys, I was a bit trigger happy with reaching out to the community! I have found the fix myself.
What I had missed was that the "Browser" option under "Client apps (preview)" was not sufficient as it does not include Modern Auth. When I added "Desktop and client apps" > "Modern authentication clients", the conditional access worked as expected.
So to prevent malicious sign-ins, as well as users from accessing their corporate Edge accounts on personal devices, the below policy settings will work. Tested on Windows 10, MacOS Catalina and iOS:
Users and groups = select as needed (make they all have AAD P1 to comply with license requirements)
Cloud apps or actions = "All cloud apps"
Conditions > Client apps (Preview) = Select "Browser" and "Mobile apps and desktop clients" > "Modern authentication clients" (recommended to also select the other ones for non-modern auth protection).
Grant = "Grant access" > "Require Hybrid Azure AD joined device"
Nov 06 2020 03:33 AM
@Pontus T This is great however this will block all acess to O365/Azure from unmanaged devices.
In a BYOD scenario, for instance for Sharepoint online, users will not be able to acess anything shared with them, unless you force users to register their devices within your organization.
if they have the devices already being managed by other orgs you will not be able to do it.
Dec 04 2020 06:58 AM
@Pontus T We had the same requirement. I see you can select Office 365 discretely to include/exclude. Did you ever narrow this down from "all cloud apps"?
Aug 02 2022 02:41 AM
Dec 05 2022 07:03 AM
Apr 29 2024 01:48 AM
May 01 2024 01:30 PM
@Johannes Goerlich Hi - I just reached out to the team and they do think it is possible.
Here is a screenshot of our documentation which explains what happens when a user is logged in.
Microsoft Edge management service | Microsoft Learn
You can configure those settings in a configuration profile using the Edge management service. Thanks!
-Kelly
Jul 22 2020 08:25 AM - edited Jul 22 2020 08:27 AM
SolutionSorry guys, I was a bit trigger happy with reaching out to the community! I have found the fix myself.
What I had missed was that the "Browser" option under "Client apps (preview)" was not sufficient as it does not include Modern Auth. When I added "Desktop and client apps" > "Modern authentication clients", the conditional access worked as expected.
So to prevent malicious sign-ins, as well as users from accessing their corporate Edge accounts on personal devices, the below policy settings will work. Tested on Windows 10, MacOS Catalina and iOS:
Users and groups = select as needed (make they all have AAD P1 to comply with license requirements)
Cloud apps or actions = "All cloud apps"
Conditions > Client apps (Preview) = Select "Browser" and "Mobile apps and desktop clients" > "Modern authentication clients" (recommended to also select the other ones for non-modern auth protection).
Grant = "Grant access" > "Require Hybrid Azure AD joined device"