SOLVED

Azure AD conditional access for Edge profile sign in

%3CLINGO-SUB%20id%3D%22lingo-sub-1538339%22%20slang%3D%22en-US%22%3EAzure%20AD%20conditional%20access%20for%20Edge%20profile%20sign%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538339%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Insiders!%20I%20hope%20this%20is%20the%20right%20channel%20for%20posting.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cannot%20find%20details%20on%20how%20to%20configure%20an%20Azure%20AD%20conditional%20access%20policy%20(or%20something%20else)%20that%20prevents%20users%20from%20signing%20in%20to%20Edge%20(profile)%2C%20using%20their%20corporate%20accounts%2C%20from%20unmanaged%20devices.%20Do%20you%20happen%20to%20know%20how%20to%20configure%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20expect%20Edge%20conditional%20access%20to%20be%20available%20as%20it%20is%20a%20no-brainer.%20With%20new%20Edge%2C%20an%20account%20compromise%20has%20a%20lot%20higher%20impact%20as%20it%20will%20grant%20access%20to%20password%20manager%2C%20credit%20card%20details%20and%20form%20fills%20are%20saved%20to%20the%20cloud%20profile%2C%20rather%20than%20the%20Windows%20credential%20manager%20(which%20was%20the%20case%20with%20legacy%20Edge).%20Not%20really%20sure%20why%20Microsoft%20is%20not%20communicating%20this%20new%20major%20risk%20factor%20unless%20I%20have%20missed%20something.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWithout%20a%20way%20of%20blocking%2C%20a%20malicious%20actor%20can%20simply%20sign%20in%20to%20a%20compromised%20account%20from%20a%20random%20device's%20Edge%20client%2C%20and%20get%20access%20to%20all%20the%20saved%20passwords%2C%20history%2C%20favourites%2C%20credit%20cards%2C%20etc.%20This%20also%20often%20includes%20user's%20personal%20credentials%20and%20details%20that%20they%20save%20when%20prompted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESetting%20a%20AAD%20conditional%20access%20policy%20that%20has%20%22all%20cloud%20apps%22%20selected%2C%20as%20well%20as%20all%20options%20under%20%22client%20apps%22%2C%20with%20the%20condition%20to%20%22Grant%22%20access%2C%20but%20%22Require%20Azure%20AD%20Joined%20device%22%20does%20not%20work%20to%20block%20sign%20in%20to%20Edge%20from%20a%20personal%20device.%20I%20guess%20that%20Edge%20is%20not%20seen%20as%20a%20%22cloud%20app%22%2C%20but%20at%20the%20same%20time%2C%20the%20sign%20in%20is%20to%20a%20cloud%20profile%2C%20and%20the%20sync%20is%20connected%20with%20AIP%20which%20is%20part%20of%20cloud%20apps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20currently%20stopping%20the%20sync%20in%20the%20pilot%20Windows%20deployment%20using%20MEM%20policy.%20This%20helps%20somewhat%2C%20but%20blocking%20sync%20is%20not%20possible%20on%20the%20iOS%20app%20as%20far%20as%20I%20know.%20So%20passwords%20saved%20via%20mobile%20can%20still%20be%20compromised.%20In%20additional%2C%20I%20want%20to%20use%20sync%20to%20make%20the%20PC%2Fmobile%20experience%20seamless.%20But%20activating%20sync%20is%20a%20huge%20risk%20unless%20I%20can%20block%20sign%20in%20as%20needed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20I%20have%20just%20missed%20something%20as%20I%20would%20not%20expect%20any%20enterprise%20or%20security%20conscious%20customers%20to%20implement%20Edge%20without%20this%20in%20place.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1538607%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20conditional%20access%20for%20Edge%20profile%20sign%20in%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538607%22%20slang%3D%22en-US%22%3E%3CP%3ESorry%20guys%2C%20I%20was%20a%20bit%20trigger%20happy%20with%20reaching%20out%20to%20the%20community!%20I%20have%20found%20the%20fix%20myself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20had%20missed%20was%20that%20the%20%22Browser%22%20option%20under%20%22Client%20apps%20(preview)%22%20was%20not%20sufficient%20as%20it%20does%20not%20include%20Modern%20Auth.%20When%20I%20added%20%22Desktop%20and%20client%20apps%22%20%26gt%3B%20%22Modern%20authentication%20clients%22%2C%20the%20conditional%20access%20worked%20as%20expected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20to%20prevent%20malicious%20sign-ins%2C%20as%20well%20as%20users%20from%20accessing%20their%20corporate%20Edge%20accounts%20on%20personal%20devices%2C%20the%20below%20policy%20settings%20will%20work.%20Tested%20on%20Windows%2010%2C%20MacOS%20Catalina%20and%20iOS%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EUsers%20and%20groups%3C%2FSTRONG%3E%20%3D%20select%20as%20needed%20(make%20they%20all%20have%20AAD%20P1%20to%20comply%20with%20license%20requirements)%3C%2FP%3E%3CP%3E%3CSTRONG%3ECloud%20apps%20or%20actions%3C%2FSTRONG%3E%20%3D%20%22All%20cloud%20apps%22%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20someone%20know%20which%20cloud%20app%20is%20used%20for%20the%20Edge%20condition%2C%20please%20let%20me%20know.%20I%20have%20tried%20to%20do%20AIP%20only%20as%20it%20is%20used%20for%20sync%20but%20that%20doesn't%20work.%20The%20audit%20log%20refers%20to%20%22%3CSPAN%3EMicrosoft%20Activity%20Feed%20Service%3C%2FSPAN%3E%22%20and%20%22Microsoft%20Graph%22%20as%20the%20%22Resource%22%2C%20but%20they%20are%20not%20available%20to%20select%20in%20the%20condition.%20%22All%20cloud%20apps%22%20that%20might%20not%20work%20for%20some%20organisations.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EConditions%20%26gt%3B%20Client%20apps%20(Preview)%3C%2FSTRONG%3E%20%3D%20Select%20%22Browser%22%20and%20%22Mobile%20apps%20and%20desktop%20clients%22%20%26gt%3B%20%22Modern%20authentication%20clients%22%20(recommended%20to%20also%20select%20the%20other%20ones%20for%20non-modern%20auth%20protection).%3C%2FP%3E%3CP%3E%3CSTRONG%3EGrant%3C%2FSTRONG%3E%20%3D%20%22Grant%20access%22%20%26gt%3B%20%22R%3CSPAN%3Eequire%20Hybrid%20Azure%20AD%20joined%20device%22%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22fxc-base%20msportalfx-form-formelement%20fxc-has-label%20azc-checkBoxField%20fxc-CheckBoxField%20azc-checkBoxField-inlineLabel%22%3E%3CDIV%20class%3D%22azc-formElementSubLabelContainer%22%3E%3CDIV%20class%3D%22azc-formElementContainer%22%3E%3CDIV%20class%3D%22azc-checkBoxField-inlineLabelContainer%20azc-text-label%22%3E%3CDIV%20class%3D%22fxc-base%20azc-control%20azc-dockedballoon%20azc-dockedballoon-info%22%3E%3CDIV%20class%3D%22azc-dockedballoon-anchor%22%3E%3CDIV%20class%3D%22fxs-portal-svg-secondary%20azc-fill-hovered-heavy%20azc-dockedballoon-anchor-target%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxs-portal-svg-secondary%20azc-fill-hovered-heavy%20azc-dockedballoon-anchor-target%22%3EHope%20this%20can%20help%20other%20lost%20souls!%20Thanks%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi Insiders! I hope this is the right channel for posting.

 

I cannot find details on how to configure an Azure AD conditional access policy (or something else) that prevents users from signing in to Edge (profile), using their corporate accounts, from unmanaged devices. Do you happen to know how to configure this?

 

I expect Edge conditional access to be available as it is a no-brainer. With new Edge, an account compromise has a lot higher impact as it will grant access to password manager, credit card details and form fills saved to the cloud profile, rather than the Windows credential manager (which was the case with legacy Edge). Not really sure why Microsoft is not communicating this new major risk factor unless I have missed something.

 

Without a way of blocking, a malicious actor can simply sign in to a compromised account from a random device's Edge client, and get access to all the saved passwords, history, favourites, credit cards, etc. This also often includes user's personal credentials and details that they save when prompted.

 

Setting a AAD conditional access policy that has "all cloud apps" selected, as well as all options under "client apps", with the condition to "Grant" access, but "Require Azure AD Joined device", does not block sign in to Edge from a personal device. I guess that Edge is not seen as a "cloud app", but at the same time, the sign in is to a cloud profile, and the sync is connected with AIP, which in turn is part of cloud apps.

 

I am currently stopping the sync in the pilot deployment using MEM policy. This helps somewhat, but blocking sync is not possible on the iOS app as far as I know. So passwords saved via mobile can still be compromised. In addition, I want to use sync to make the PC/mobile experience seamless. But activating sync is a huge risk unless I can block sign in completely as needed.

 

Hope I have just missed something as I would not expect any enterprise or security conscious customers to implement Edge without this in place.

 

Thank you for your help!

1 Reply
Highlighted
Best Response confirmed by Pontus T (Contributor)
Solution

Sorry guys, I was a bit trigger happy with reaching out to the community! I have found the fix myself.

 

What I had missed was that the "Browser" option under "Client apps (preview)" was not sufficient as it does not include Modern Auth. When I added "Desktop and client apps" > "Modern authentication clients", the conditional access worked as expected.

 

So to prevent malicious sign-ins, as well as users from accessing their corporate Edge accounts on personal devices, the below policy settings will work. Tested on Windows 10, MacOS Catalina and iOS:

 

Users and groups = select as needed (make they all have AAD P1 to comply with license requirements)

Cloud apps or actions = "All cloud apps"

  • If someone know which cloud app is used for the Edge condition, please let me know. I have tried to do AIP only as it is used for sync but that doesn't work. The audit log refers to "Microsoft Activity Feed Service" and "Microsoft Graph" as the "Resource", but they are not available to select in the condition. "All cloud apps" that might not work for some organisations.

Conditions > Client apps (Preview) = Select "Browser" and "Mobile apps and desktop clients" > "Modern authentication clients" (recommended to also select the other ones for non-modern auth protection).

Grant = "Grant access" > "Require Hybrid Azure AD joined device"

 
Hope this can help other lost souls! Thanks