Microsoft offers many solutions and services to defend your Microsoft 365 tenancy. One of the most touted features available in Azure AD Premium P1 (and higher) is Azure Conditional Access. Conditional Access allows you to set policies that determine what type of devices, which users, and under what conditions a request to access a service may be allowed or blocked.

For example, you can set up a policy to allow any request from a trusted location (an IP address) and block access from any other location.

Conditional Access policies can be incredibly versatile, but they can also go wrong, and locking yourself out of a tenant would not be a good idea. Thus, Microsoft offers a report-only mode in which a rule is evaluated but not enforced. You can read more about Conditional Access here.

One popular way to deploy Conditional Access is to use it in conjunction with Microsoft Intune. Intune enables you to set compliance policies on devices, whether they use BitLocker or have a specific version of Windows or antivirus enabled. You can then configure a conditional access rule to grant access only to compliant devices.

Using Conditional Access to limit access only to compliant devices

Using Conditional Access to limit access only to compliant devices

This works very well and is easy to set up and deploy—until a device is denied access and you can't see why.

This issue came up for me recently. A user was denied access to SharePoint, even though the device showed as compliant. To make things more confusing, it worked perfectly on the same device using Microsoft Edge.

After successfully passing the username and password and the MFA challenge, the following was displayed.

Conditional Access failure message

Conditional Access failure message

To troubleshoot this further, we head into Azure Active Directory and select Users > Sign-in logs.

Use Azure AD sign in logs to troubleshoot login failures

Use Azure AD sign in logs to troubleshoot login failures

We can set a filter to look for only the specific user we are interested in.

Setting a filter for usernames

Setting a filter for usernames

From the list of sign-in activities, we can find a successful sign-in, open it, and look at the device details.

This is an example from Microsoft Edge. Note that it shows the version and that the device is Hybrid Azure AD joined and compliant.

Sign in on Microsoft Edge

Sign in on Microsoft Edge

Contrast this with a login on the same device but using Google Chrome.

Activty Details Sign in

Activity Details Sign in

You can clearly see that Chrome has not passed the device state through to Azure.

The solution, luckily, is straightforward enough. Microsoft released a Chrome extension called Windows Accounts that links your logged-on user and device info, and allows it to be passed through to Microsoft services.

Once this extension is deployed to the browser, your device state is correctly passed through, and your Conditional Access policies are extended to support Chrome.

Install the Windows Accounts extension

Install the Windows Accounts extension

Device information now passed to Azure AD

Device information now passed to Azure AD

You may also face a similar issue using Android devices. In the company portal app, you must enable browser access.

Subscribe to 4sysops newsletter!

  1. Launch the Company Portal
  2. Go to the Settingspage from the menu.
  3. In the Enable Browser Accesssection, tap the ENABLE button

More information about device-based Conditional Access can be found here.

avatar
15 Comments
  1. Mel 11 months ago

    We have this extension deployed however it then bypasses MFA. Our conditional access policy requires compliant device and MFA to gain access yet when this Chrome extension is enabled, the user is not required to enter username, password or MFA to access 365 apps. We find this to be a huge security hole because it offers no protection If the device is compromised. There are literally no stops in place.
    The condtional access policy will not work without this extension. Is there any way make sure a user still needs to MFA, even if no login credentials are requested?

  2. JC 11 months ago

    have the same issue here, extension is also installed.

  3. Dan Vespa 7 months ago

    Works like a charm! Thanks so much. 🙂

  4. NM 5 months ago

    Android device – enable browser access is automatically enabled but still reports not managed to intune and wont allow browser access.

    • Author

      What type of device?

      Is it running Android Go?

      • NM 5 months ago

        Pixel 6 Pro, enrolled with Android Enterprise. Company Portal shows compliant

        • Author

          Ok. Is the app/browser in question running in the work profile?

          • NM 5 months ago

            No. I’ve been looking for clarification on this too. The certificate prompt happens when I am using Chrome outside the work profile but never indicates compliant in the intune logs, I guess that could be it. Is there a way to make it work like this in the native chrome browser? Ideally I would use Android DA but that’s the old method. Currently, I only want to enforce the device compliance for access using Grant “or” compliant/joined/approved app/app protection.

            • Author

              As far as I understand you will only be able to use the work profile apps.

              • NM 5 months ago

                That would make more sense… if Intune can only see what is in the work profile. The struggle for us will be dealing with everyone that uses the native apps to save work and personal side by side… I wish there was a hybrid solution that CA could use to “secure” a byod/personal device that would still allow everyone’s workflow to stay how they did it previously. I guess I will keep working on a design that maintains the data security yet is not as intrusive. Thanks

  5. Nick 5 months ago

    Android device – enable browser access is automatically enabled but still reports not managed to intune and wont allow browser access.

  6. JK Giplinhæg 4 months ago

    Thank you for a great guide. I still have chrome not reporting compliance after installing the extension, where can i start to trubelshoot then?

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account