Conditional Access Policy - Persistent Browser Session exemptions

Brass Contributor


We are looking at introducing Conditional Access policies with Persistent Browser sessions enabled.

Part of  this particular access policy is to have it assigned to "All cloud apps". On a side note, we are also using Intune as our device management platform. The conditional access policy will eventually be assigned to all staff (Once UAT completed) - which may seem a little problematic.


We are currently looking into a particular use case in which we wouldn't want to be prompted for MFA and that would be when using Microsoft Intune and Microsoft Intune Enrollment.


i.e. User A attempts to log into Apple Remote Management - fails as unable to pass through any MFA prompts.


Workaround is to have the CA policy take advantage of Trusted locations with the company's external IPs listed. In the current landscape, what happens if the user requires the device to be shipped to them.

What method on top of the persistent browser session CA policy would work?

If we exclude the above two applications, the persistent browser session will share the same state and any exclusions will not be supported, rendering this an invalid session control.

It may very well be something obvious that I have overlooked, but really could use some assistance with this one.


Thanks again.

5 Replies

@vas_ppabp_90 Sorry, not sure what you are trying to achieve here. 
Can you summarize your question? 


Not sure how to relate persistent browser sessions with MFA and enrollment. 



Its a question about having a conditional access policy targeted to all cloud apps with persistent browsing enabled - how would we deal with excluding applications that we don't have MFA to be prompted for? Additional CA policy? Group Exclusions? 






You can implement your conditional access policy to exclude devices that are compliant in Microsoft Intune so that they are not prompted for MFA in that specific condition.

Another solution is to grant access in the policy and use the OR scenario which means PASS the policy when a user performs MFA prompt or is compliant in Microsoft Endpoint Manager:


That will only work after the device has completed the remote mobile management set up, I'm coming from a point of a refresh device being enrolled via Mac DEP enrollment

@vas_ppabp_90 We are also running into this issue: CA policies with persistent browser session and we are trying to implement Intune and auto register devices. Were you ever able to find a solution or workaround? Thanks