InTune Conditional Access mobile blocking Edge Sign In

Copper Contributor

Hello!

We are trying to setup MAM policies in InTune.  We want only whitelisted applicaitons allowed.  At the start, this will the the O365, and a few other internal SSO apps.  

 

The issue is, in order to only allow access to 5 apps/systems, we need to put in a Block All, and then add exclusions.  I've done this.  However, I am unable to get the browser side working, as signining into Edge is blocked. 

 

I want to use Edge as the browser app, but with the block all, it doesn't allow users to sign into edge, so they can't get to the sso sites via edge.  I do know which CA policy is doing it, I just don't know which item to add to it for an exclusion.

 

Anyone know how to exclude the Edge sign in from Conditional Access?  I'm not sure what service/applicaiton it actually is.

 

I've included a screen shot of the sign in log.

 

Thanks.

 

FryC260_0-1660581324864.png

 

9 Replies
How did you target the conditional access policy? All cloud apps or office 365 apps ?

@FryC260 

You can try "What if" feature to better understand how policies will affect your users.

The Conditional Access What If tool - Azure Active Directory - Microsoft Entra | Microsoft Docs

@Rudy_Ooms_MVP The Conditional Access Policy is targeted to all Apps.  Reason for this is because we need a specific whitelist of apps that are allowed to be accessed.  In order to acocmplish this, the only way I've found to only alllow specific apps, is to block all, then add exclusions as needed.

I'm familiar with the What If, but Microsoft Edge is not an option in the apps to test. There is clearly a service tied to edge that is included, but I don't know which one so I can add it to the exclusion list.
I know... but you cant select edge as cloud app in the exclude list ... :(... sometime ago that was the same for the Microsoft store API 🙂 ... Not sure if it could work... but a long long time ago I added the ID/GUID with powershell

https://call4cloud.nl/2020/11/the-conditional-access-experiment/
I know I can't select Edge in the exclude list. But using another example, I can't exclude Microsoft Outlook either. But I can block or allow it's function using Exchange_Online.

What service is Edge using for the sync that is getting blocked? Surely I can't be the only person in the entire world who want's a strict whitelist of access applications, and wants to force all web apps into Edge. This is MAM/MDM 101. 🙂
did you get this solved as I also have this and was wondering what services edge use for blocking/unblocking sign in
Did you ever figure this out? Super annoyed that Edge still isn't in the **bleep** list of apps or that the "Block All Cloud Apps" prevents it. Microsoft is so **bleep** stupid sometimes.

@DBR14  -- Not really.  Ended up inverting the whole thing.  So we basically set Intuen to block everything, then we just allowed users in based on an access group.  Essentially saying "ok" to access on your mobile if you have access on your computer.  

We did put in some policies for the Microsoft cloud apps, and a few requriements for other apps.  But just left everything else with some basic requirements.

I was moved into another area in my company, so haven't looked at mobile Intune in about 18 months.