Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

Iron Contributor
I have a problem with a conditional Access rule called:
Use app-enforced Restrictions for browser access.
 
I can't get it to work properly. I followed all the documentation i could find, but it doesn't work.
 
In the conditions i have set the following.
1. locations to all locations and excluding trusted locations.
2. Client Apps i selected Browser and Other Clients.
3. Device state All device state excluding devices marked compliant.
 
Under access control i selected app Use app enforced restrictions.
 
The weird about this Conditional Access Rule does function as expected on an compliant Mac but not on Windows 10 Devices.
 
In the signin logs i noticed the following.
 
When i login on a Mac with for example the Chrome Browser in Device Info of the SignIn logs all fields such as Compliant are filled with info. But when i sign in from a any browser on a compliant Windows 10 device, only the fields browser and Operating System are filled.
 
I somehow get the feeling that because of missing info in the device info, the conditional access rule thinks that the windows 10 device is not compliant.
 
In Google Chrome i have the Windows 10 Accounts Extension and in Edge i am signed in.
Aantekening 2020-03-26 134634.pngAantekening 2020-03-26 134418.png
21 Replies

@RonaldvdMeer Hi Ronald,

Hard to troubleshoot these kind of issues. The issue is that when no Device ID is send, no compliance check is done.
But what is the cause.... No idea from this place.

Unfortunately I have a client with the exact same issue, already on two devices. After opening a case with Intune support it got closed eventually because the MFA device state is (still) in preview.

 

The user is currently using Chrome to workaround to make sure app enforced restrictions are not applied.

mfa.png